1204 files changed, 17040 insertions, 15378 deletions

diff --git a/Android.common.mk b/Android.common.mk
index 3c71998e6..8e435982c 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.7.1"
+strongswan_VERSION := "5.7.2"
 
diff --git a/ChangeLog b/ChangeLog
index 53a9ec244..3e5641cba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,5 @@
 A summary of changes is available in the NEWS file. For a more
-detailed Changelog, use the repository (see HACKING) or the
-online interface available at http://git.strongswan.org.
+detailed Changelog, refer to the completed versions on the project's roadmap
+(https://wiki.strongswan.org/projects/strongswan/roadmap) or use the Git
+repository (see HACKING) or its web interface available at
+https://git.strongswan.org.
diff --git a/Doxyfile.in b/Doxyfile.in
index 6c59d86c9..a1f3f8819 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -1789,18 +1789,6 @@ GENERATE_XML           = NO
 
 XML_OUTPUT             = xml
 
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA             =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD                =
-
 # If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
 # listings (including syntax highlighting and cross-referencing information) to
 # the XML output. Note that enabling this will significantly increase the size
diff --git a/Makefile.am b/Makefile.am
index 54b822050..958edc6fe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,6 +24,11 @@ config_includedir = $(ipseclibdir)/include
 nodist_config_include_HEADERS = config.h
 endif
 
+# we can't (and shouldn't) install/uninstall system files during make distcheck,
+# so override the autodetected path for systemd units
+AM_DISTCHECK_CONFIGURE_FLAGS = \
+	--with-systemdsystemunitdir='$$(prefix)/lib/systemd/system'
+
 # we leave config files behind intentionally so prevent distcheck from complaining
 distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
 
diff --git a/Makefile.in b/Makefile.in
index 7e06889c9..bbb0d4c1d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -492,6 +492,12 @@ MAINTAINERCLEANFILES = Android.common.mk
 @USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include
 @USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h
 
+# we can't (and shouldn't) install/uninstall system files during make distcheck,
+# so override the autodetected path for systemd units
+AM_DISTCHECK_CONFIGURE_FLAGS = \
+	--with-systemdsystemunitdir='$$(prefix)/lib/systemd/system'
+
+
 # we leave config files behind intentionally so prevent distcheck from complaining
 distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
 all: $(BUILT_SOURCES) config.h
diff --git a/NEWS b/NEWS
index 18bf7e3db..b95b0fcf4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,53 @@
+strongswan-5.7.2
+----------------
+
+- Private key implementations may optionally provide a list of supported
+  signature schemes, which is used by the tpm plugin because for each key on a
+  TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
+
+- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
+  length (as defined by the length of the key and hash).  However, if the TPM is
+  FIPS-168-4 compliant, the salt length equals the hash length.  This is assumed
+  for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
+  necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
+  use the maximum salt length.
+
+- swanctl now accesses directories for credentials relative to swanctl.conf, in
+  particular, when it's loaded from a custom location via --file argument.  The
+  base directory that's used if --file is not given is configurable at runtime
+  via SWANCTL_DIR environment variable.
+
+- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
+  Access-Request messages, simplifying associating database entries for IP
+  leases and accounting with sessions.
+
+- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
+  don't claim them, allowing releasing them early on connection errors.
+
+- Selectors installed on transport mode SAs by the kernel-netlink plugin are
+  updated on IP address changes (e.g. via MOBIKE).
+
+- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
+  For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
+  authentication has to be disabled via charon.signature_authentication.
+
+- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
+
+- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
+  and signatures when built against OpenSSL 1.1.1.
+
+- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
+
+- The mysql plugin now properly handles database connections with transactions
+  under heavy load.
+
+- IP addresses in HA pools are now distributed evenly among all segments.
+
+- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
+  from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
+  the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
+
+
 strongswan-5.7.1
 ----------------
 
@@ -1031,7 +1081,7 @@ strongswan-5.0.3
   charon-tkm does not result in the compromise of cryptographic keys.
   The extracted functionality has been implemented from scratch in a minimal TCB
   (trusted computing base) in the Ada programming language. Further information
-  can be found at http://www.codelabs.ch/tkm/.
+  can be found at https://www.codelabs.ch/tkm/.
 
 strongswan-5.0.2
 ----------------
@@ -1169,7 +1219,7 @@ strongswan-5.0.0
   pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
   RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
   mode. Information for interoperability and migration is available at
-  http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+  https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
 
 - Charon's bus_t has been refactored so that loggers and other listeners are
   now handled separately.  The single lock was previously cause for deadlocks
@@ -1600,7 +1650,7 @@ strongswan-4.4.0
 - The IKEv2 High Availability plugin has been integrated. It provides
   load sharing and failover capabilities in a cluster of currently two nodes,
   based on an extend ClusterIP kernel module. More information is available at
-  http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
+  https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
   The development of the High Availability functionality was sponsored by
   secunet Security Networks AG.
 
@@ -2308,7 +2358,7 @@ strongswan-4.1.7
 
 - Preview of strongSwan Manager, a web based configuration and monitoring
   application. It uses a new XML control interface to query the IKEv2 daemon
-  (see http://wiki.strongswan.org/wiki/Manager).
+  (see https://wiki.strongswan.org/wiki/Manager).
 
 - Experimental SQLite configuration backend which will provide the configuration
   interface for strongSwan Manager in future releases.
diff --git a/README b/README
index 8d8febede..a19caf37a 100644
--- a/README
+++ b/README
@@ -9,7 +9,7 @@ which uses the modern [**vici**](src/libcharon/plugins/vici/README.md) *Versatil
 IKE Configuration Interface*. The deprecated **ipsec** command using the legacy
 **stroke** configuration interface is described [**here**](README_LEGACY.md).
 For more detailed information consult the man pages and
-[**our wiki**](http://wiki.strongswan.org).
+[**our wiki**](https://wiki.strongswan.org).
 
 
 ## Quickstart ##
diff --git a/TODO b/TODO
index 186d4d02b..41ea04099 100644
--- a/TODO
+++ b/TODO
@@ -4,5 +4,5 @@
 
 A roadmap of the strongSwan project is available online at:
 
-        http://wiki.strongswan.org/projects/strongswan/roadmap
+        https://wiki.strongswan.org/projects/strongswan/roadmap
 
diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
index 1be961e89..91d533a1e 100644
--- a/conf/plugins/tpm.conf
+++ b/conf/plugins/tpm.conf
@@ -1,5 +1,9 @@
 tpm {
 
+    # Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+    # salt length instead of maximum salt length with RSAPSS padding.
+    # fips_186_4 = no
+
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
index df7adb098..06c88861e 100644
--- a/conf/plugins/tpm.opt
+++ b/conf/plugins/tpm.opt
@@ -1,6 +1,10 @@
 charon.plugins.tpm.use_rng = no
 	Whether the TPM should be used as RNG.
 
+charon.plugins.tpm.fips_186_4 = no
+	Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+	salt length instead of maximum salt length with RSAPSS padding.
+
 charon.plugins.tpm.tcti.name = device|tabrmd
 	Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_.
 	Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 486ee5af9..aea62fbae 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -1685,6 +1685,11 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
 Send a PB\-TNC batch with a modified PB\-TNC version.
 
 .TP
+.BR charon.plugins.tpm.fips_186_4 " [no]"
+Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
+length instead of maximum salt length with RSAPSS padding.
+
+.TP
 .BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
 Name of TPM 2.0 TCTI library. Valid values:
 .RI "" "tabrmd" ","
diff --git a/configure b/configure
index f66cae07f..be0c1d92a 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.7.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.7.2.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.7.1'
-PACKAGE_STRING='strongSwan 5.7.1'
+PACKAGE_VERSION='5.7.2'
+PACKAGE_STRING='strongSwan 5.7.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -2108,7 +2108,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.7.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.7.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2179,7 +2179,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.7.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.7.2:";;
    esac
   cat <<\_ACEOF
 
@@ -2666,7 +2666,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.7.1
+strongSwan configure 5.7.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3188,7 +3188,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.7.1, which was
+It was created by strongSwan $as_me 5.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4051,7 +4051,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.7.1'
+ VERSION='5.7.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -23080,6 +23080,9 @@ $as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >&
 	else
 		# required for libFuzzer
 		FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
+		if test "$SANITIZER" = "coverage"; then
+			FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
+		fi
 
 	fi
 fi
@@ -27550,7 +27553,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.7.1, which was
+This file was extended by strongSwan $as_me 5.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -27616,7 +27619,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.7.1
+strongSwan config.status 5.7.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 673393f8d..8b2f0216d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.7.1])
+AC_INIT([strongSwan],[5.7.2])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -1292,6 +1292,9 @@ if test x$fuzzing = xtrue; then
 	else
 		# required for libFuzzer
 		FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
+		if test "$SANITIZER" = "coverage"; then
+			FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
+		fi
 		AC_SUBST(FUZZING_LDFLAGS)
 	fi
 fi
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index f2f98d7af..235772faf 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -47,6 +47,7 @@ struct {
 	{"ecp192",			ECP_192_BIT},
 	{"ecp224",			ECP_224_BIT},
 	{"curve25519",		CURVE_25519},
+	{"curve448",		CURVE_448},
 };
 
 static void start_timing(struct timespec *start)
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 806f78062..038e60e87 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -84,11 +84,9 @@ main(int argc, char *argv[])
 		case 'h':	/* help */
 			printf("%s\n", usage);
 			exit(0);
-			break;
 		case 'v':	/* version */
 			printf("%s strongSwan "VERSION"\n", me);
 			exit(0);
-			break;
 		case '?':
 		default:
 			errflg = 1;
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index 1293ec4c0..e85e21d5c 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -348,6 +348,9 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
+	/* register this again after loading plugins to avoid issues with libraries
+	 * that register atexit() handlers */
+	atexit(libcharon_deinit);
 	if (!lib->caps->drop(lib->caps))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
@@ -358,9 +361,6 @@ int main(int argc, char *argv[])
 	creds = cmd_creds_create();
 	atexit(cleanup_creds);
 
-	/* handle all arguments */
-	handle_arguments(argc, argv, FALSE);
-
 	if (uname(&utsname) != 0)
 	{
 		memset(&utsname, 0, sizeof(utsname));
@@ -369,6 +369,9 @@ int main(int argc, char *argv[])
 		 VERSION, utsname.sysname, utsname.release, utsname.machine);
 	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
+	/* handle all arguments */
+	handle_arguments(argc, argv, FALSE);
+
 	/* add handler for SEGV and ILL,
 	 * INT, TERM and HUP are handled by sigwaitinfo() in run() */
 	action.sa_handler = segv_handler;
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index d06c26974..7d4465ebf 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -322,6 +322,7 @@ int main(int argc, char *argv[])
 {
 	struct sigaction action;
 	struct utsname utsname;
+	int status = SS_RC_INITIALIZATION_FAILED;
 
 	dbg = dbg_stderr;
 
@@ -345,16 +346,15 @@ int main(int argc, char *argv[])
 		sd_notifyf(0, "STATUS=integrity check of charon-systemd failed");
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	atexit(libcharon_deinit);
 	if (!libcharon_init())
 	{
 		sd_notifyf(0, "STATUS=libcharon initialization failed");
-		return SS_RC_INITIALIZATION_FAILED;
+		goto error;
 	}
 	if (!lookup_uid_gid())
 	{
 		sd_notifyf(0, "STATUS=unknown uid/gid");
-		return SS_RC_INITIALIZATION_FAILED;
+		goto error;
 	}
 	/* we registered the journal logger as custom logger, which gets its
 	 * settings from <ns>.customlog.journal, let it fallback to <ns>.journal */
@@ -370,14 +370,14 @@ int main(int argc, char *argv[])
 			lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns)))
 	{
 		sd_notifyf(0, "STATUS=charon initialization failed");
-		return SS_RC_INITIALIZATION_FAILED;
+		goto error;
 	}
 	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
 	if (!lib->caps->drop(lib->caps))
 	{
 		sd_notifyf(0, "STATUS=dropping capabilities failed");
-		return SS_RC_INITIALIZATION_FAILED;
+		goto error;
 	}
 
 	/* add handler for SEGV and ILL,
@@ -401,5 +401,9 @@ int main(int argc, char *argv[])
 	sd_notifyf(0, "STATUS=charon-systemd running, strongSwan %s, %s %s, %s",
 			   VERSION, utsname.sysname, utsname.release, utsname.machine);
 
-	return run();
+	status = run();
+
+error:
+	libcharon_deinit();
+	return status;
 }
diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c
index dd814ad15..3fa53680c 100644
--- a/src/conftest/hooks/set_proposal_number.c
+++ b/src/conftest/hooks/set_proposal_number.c
@@ -122,7 +122,7 @@ METHOD(listener_t, message, bool,
 			enumerator->destroy(enumerator);
 		}
 		sa = sa_payload_create_from_proposals_v2(updated);
-		list->destroy_offset(list, offsetof(proposal_t, destroy));
+		DESTROY_OFFSET_IF(list, offsetof(proposal_t, destroy));
 		updated->destroy_offset(updated, offsetof(proposal_t, destroy));
 		message->add_payload(message, (payload_t*)sa);
 	}
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 143342ecb..d49d6cdf6 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.7.0rc2" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.7.2dr1" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index f4c01c22e..b7348f0f9 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -575,7 +575,7 @@ METHOD(bus_t, message, void,
 METHOD(bus_t, ike_keys, void,
 	private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-	ike_sa_t *rekey, shared_key_t *shared)
+	ike_sa_t *rekey, shared_key_t *shared, auth_method_t method)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -591,7 +591,8 @@ METHOD(bus_t, ike_keys, void,
 		}
 		entry->calling++;
 		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other,
-										 nonce_i, nonce_r, rekey, shared);
+										 nonce_i, nonce_r, rekey, shared,
+										 method);
 		entry->calling--;
 		if (!keep)
 		{
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index df75683be..8a97e8dfc 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -353,10 +353,12 @@ struct bus_t {
 	 * @param nonce_r	responder's nonce
 	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
 	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
+	 * @param method	auth method for key derivation (IKEv1-non-PSK only)
 	 */
 	void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 					 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey, shared_key_t *shared);
+					 ike_sa_t *rekey, shared_key_t *shared,
+					 auth_method_t method);
 
 	/**
 	 * IKE_SA derived keys hook.
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 06057eb73..0f3b8578a 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -88,11 +88,13 @@ struct listener_t {
 	 * @param nonce_r	responder's nonce
 	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
 	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
+	 * @param method	auth method for key derivation (IKEv1-non-PSK only)
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 					 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey, shared_key_t *shared);
+					 ike_sa_t *rekey, shared_key_t *shared,
+					 auth_method_t method);
 
 	/**
 	 * Hook called with derived IKE_SA keys.
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
index 644cff029..1abbf7731 100644
--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
@@ -64,6 +64,7 @@ typedef struct {
 	private_bypass_lan_listener_t *listener;
 	host_t *net;
 	uint8_t mask;
+	char *iface;
 	child_cfg_t *cfg;
 } bypass_policy_t;
 
@@ -85,6 +86,7 @@ static void bypass_policy_destroy(bypass_policy_t *this)
 		ts->destroy(ts);
 	}
 	this->net->destroy(this->net);
+	free(this->iface);
 	free(this);
 }
 
@@ -126,6 +128,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
 	enumerator_t *enumerator;
 	hashtable_t *seen;
 	bypass_policy_t *found, *lookup;
+	traffic_selector_t *ts;
 	host_t *net;
 	uint8_t mask;
 	char *iface;
@@ -146,6 +149,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
 		INIT(lookup,
 			.net = net->clone(net),
 			.mask = mask,
+			.iface = strdupnull(iface),
 		);
 		found = seen->put(seen, lookup, lookup);
 		if (found)
@@ -160,7 +164,6 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
 				.mode = MODE_PASS,
 			};
 			child_cfg_t *cfg;
-			traffic_selector_t *ts;
 			char name[128];
 
 			ts = traffic_selector_create_from_subnet(net->clone(net), mask,
@@ -176,6 +179,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
 			INIT(found,
 				.net = net->clone(net),
 				.mask = mask,
+				.iface = strdupnull(iface),
 				.cfg = cfg,
 			);
 			this->policies->put(this->policies, found, found);
@@ -186,11 +190,29 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
 	enumerator = this->policies->create_enumerator(this->policies);
 	while (enumerator->enumerate(enumerator, NULL, &lookup))
 	{
-		if (!seen->get(seen, lookup))
+		found = seen->get(seen, lookup);
+		if (!found)
 		{
 			this->policies->remove_at(this->policies, enumerator);
 			bypass_policy_destroy(lookup);
 		}
+		else if (!streq(lookup->iface, found->iface))
+		{	/* if the subnet is on multiple interfaces, we only get the last
+			 * one (hopefully, they are enumerated in a consistent order) */
+			ts = traffic_selector_create_from_subnet(
+												lookup->net->clone(lookup->net),
+												lookup->mask, 0, 0, 65535);
+			DBG1(DBG_IKE, "interface change for bypass policy for %R (from %s "
+				 "to %s)", ts, lookup->iface, found->iface);
+			ts->destroy(ts);
+			free(lookup->iface);
+			lookup->iface = strdupnull(found->iface);
+			/* there is currently no API to update shunts, so we remove and
+			 * reinstall it to update the route */
+			charon->shunts->uninstall(charon->shunts, "bypass-lan",
+									  lookup->cfg->get_name(lookup->cfg));
+			charon->shunts->install(charon->shunts, "bypass-lan", lookup->cfg);
+		}
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 1e208d094..ecd92f2ef 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -489,6 +489,16 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 	offer = host_create_from_chunk(AF_INET,
 					chunk_from_thing(dhcp->your_address), 0);
 
+	if (offer->is_anyaddr(offer))
+	{
+		server = host_create_from_chunk(AF_INET,
+					chunk_from_thing(dhcp->server_address), 0);
+		DBG1(DBG_CFG, "ignoring DHCP OFFER %+H from %H", offer, server);
+		server->destroy(server);
+		offer->destroy(offer);
+		return;
+	}
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->discover->create_enumerator(this->discover);
 	while (enumerator->enumerate(enumerator, &transaction))
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index fbbf6da83..ae1371b45 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -156,7 +156,7 @@ void eap_radius_build_attributes(radius_message_t *request)
 {
 	ike_sa_t *ike_sa;
 	host_t *host;
-	char buf[40], *station_id_fmt;;
+	char buf[40], *station_id_fmt, *session_id;
 	uint32_t value;
 	chunk_t chunk;
 
@@ -202,6 +202,14 @@ void eap_radius_build_attributes(radius_message_t *request)
 		host = ike_sa->get_other_host(ike_sa);
 		snprintf(buf, sizeof(buf), station_id_fmt, host);
 		request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
+
+		session_id = eap_radius_accounting_session_id(ike_sa);
+		if (session_id)
+		{
+			request->add(request, RAT_ACCT_SESSION_ID,
+						 chunk_from_str(session_id));
+			free(session_id);
+		}
 	}
 }
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 92611492b..ecb2083c9 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Tobias Brunner
+ * Copyright (C) 2015-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2012 Martin Willi
@@ -17,6 +17,7 @@
  */
 
 #include "eap_radius_accounting.h"
+#include "eap_radius_provider.h"
 #include "eap_radius_plugin.h"
 
 #include <time.h>
@@ -461,6 +462,37 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
 }
 
 /**
+ * Add any unclaimed IP addresses to the message
+ */
+static void add_unclaimed_ips(radius_message_t *message, ike_sa_t *ike_sa)
+{
+	eap_radius_provider_t *provider;
+	enumerator_t *enumerator;
+	host_t *vip;
+
+	provider = eap_radius_provider_get();
+	enumerator = provider->clear_unclaimed(provider,
+										   ike_sa->get_unique_id(ike_sa));
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		switch (vip->get_family(vip))
+		{
+			case AF_INET:
+				message->add(message, RAT_FRAMED_IP_ADDRESS,
+							 vip->get_address(vip));
+				break;
+			case AF_INET6:
+				message->add(message, RAT_FRAMED_IPV6_ADDRESS,
+							 vip->get_address(vip));
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
  * Add the Class attributes received in the Access-Accept message to the
  * RADIUS accounting message
  */
@@ -790,6 +822,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 					 chunk_create(entry->sid, strlen(entry->sid)));
 		add_class_attributes(message, entry);
 		add_ike_sa_parameters(this, message, ike_sa);
+		add_unclaimed_ips(message, ike_sa);
 
 		value = htonl(entry->usage.bytes.sent);
 		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
@@ -816,7 +849,6 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 		value = htonl(time_monotonic(NULL) - entry->created);
 		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
 
-
 		value = htonl(entry->cause);
 		message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value));
 
@@ -1070,8 +1102,27 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 	return &this->public;
 }
 
-/**
- * See header
+/*
+ * Described in header
+ */
+char *eap_radius_accounting_session_id(ike_sa_t *ike_sa)
+{
+	entry_t *entry;
+	char *sid = NULL;
+
+	if (singleton)
+	{
+		singleton->mutex->lock(singleton->mutex);
+		entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa),
+									ike_sa->get_unique_id(ike_sa));
+		sid = strdup(entry->sid);
+		singleton->mutex->unlock(singleton->mutex);
+	}
+	return sid;
+}
+
+/*
+ * Described in header
  */
 void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval)
 {
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
index dc1edcf54..1fe1107ea 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2012 Martin Willi
@@ -50,6 +50,14 @@ struct eap_radius_accounting_t {
 eap_radius_accounting_t *eap_radius_accounting_create();
 
 /**
+ * Get the Accounting session ID for the given IKE_SA.
+ *
+ * @param ike_sa			IKE_SA for which to determine the session ID
+ * @return					allocated session ID
+ */
+char *eap_radius_accounting_session_id(ike_sa_t *ike_sa);
+
+/**
  * Schedule Accounting interim updates for the given IKE_SA.
  *
  * @param ike_sa			IKE_SA to send updates for
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 8188bb764..defabb782 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -131,7 +134,7 @@ static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id)
 }
 
 /**
- * Put an entry to hashtable, or destroy it ife empty
+ * Put an entry to hashtable, or destroy it if empty
  */
 static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
 {
@@ -494,6 +497,24 @@ METHOD(eap_radius_provider_t, add_attribute, void,
 	this->listener.mutex->unlock(this->listener.mutex);
 }
 
+METHOD(eap_radius_provider_t, clear_unclaimed, enumerator_t*,
+	private_eap_radius_provider_t *this, uint32_t id)
+{
+	entry_t *entry;
+
+	this->listener.mutex->lock(this->listener.mutex);
+	entry = this->listener.unclaimed->remove(this->listener.unclaimed,
+											 (void*)(uintptr_t)id);
+	this->listener.mutex->unlock(this->listener.mutex);
+	if (!entry)
+	{
+		return enumerator_create_empty();
+	}
+	return enumerator_create_cleaner(
+					entry->addrs->create_enumerator(entry->addrs),
+					(void*)destroy_entry, entry);
+}
+
 METHOD(eap_radius_provider_t, destroy, void,
 	private_eap_radius_provider_t *this)
 {
@@ -523,6 +544,7 @@ eap_radius_provider_t *eap_radius_provider_create()
 				},
 				.add_framed_ip = _add_framed_ip,
 				.add_attribute = _add_attribute,
+				.clear_unclaimed = _clear_unclaimed,
 				.destroy = _destroy,
 			},
 			.listener = {
@@ -539,6 +561,14 @@ eap_radius_provider_t *eap_radius_provider_create()
 			},
 		);
 
+		if (lib->settings->get_bool(lib->settings,
+							"%s.plugins.eap-radius.accounting", FALSE, lib->ns))
+		{
+			/* if RADIUS accounting is enabled, keep unclaimed IPs around until
+			 * the Accounting-Stop message is sent */
+			this->listener.public.message = NULL;
+		}
+
 		charon->bus->add_listener(charon->bus, &this->listener.public);
 
 		singleton = &this->public;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
index 80971bddb..9f1121ca3 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2013 Martin Willi
  * Copyright (C) 2013 revosec AG
  *
@@ -56,6 +59,14 @@ struct eap_radius_provider_t {
 						  configuration_attribute_type_t type, chunk_t data);
 
 	/**
+	 * Clears any unclaimed IP addresses and attributes for the given IKE_SA.
+	 *
+	 * @param id			IKE_SA unique identifier
+	 * @return				enumerator over unclaimed IP addresses, if any
+	 */
+	enumerator_t *(*clear_unclaimed)(eap_radius_provider_t *this, uint32_t id);
+
+	/**
 	 * Destroy a eap_radius_provider_t.
 	 */
 	void (*destroy)(eap_radius_provider_t *this);
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index 34d6efc48..2553fd014 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -159,13 +159,13 @@ static pool_t* get_pool(private_ha_attribute_t *this, char *name)
 }
 
 /**
- * Check if we are responsible for a bit in our bitmask
+ * Check if we are responsible for an offset
  */
-static bool responsible_for(private_ha_attribute_t *this, int bit)
+static bool responsible_for(private_ha_attribute_t *this, int offset)
 {
 	u_int segment;
 
-	segment = this->kernel->get_segment_int(this->kernel, bit);
+	segment = offset % this->segments->count(this->segments) + 1;
 	return this->segments->is_active(this->segments, segment);
 }
 
@@ -175,7 +175,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 {
 	enumerator_t *enumerator;
 	pool_t *pool = NULL;
-	int offset = -1, byte, bit;
+	int offset = -1, tmp_offset, byte, bit;
 	host_t *address;
 	char *name;
 
@@ -199,10 +199,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 			{
 				for (bit = 0; bit < 8; bit++)
 				{
+					tmp_offset = byte * 8 + bit;
 					if (!(pool->mask[byte] & 1 << bit) &&
-						responsible_for(this, bit))
+						responsible_for(this, tmp_offset))
 					{
-						offset = byte * 8 + bit;
+						offset = tmp_offset;
 						pool->mask[byte] |= 1 << bit;
 						break;
 					}
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 4e3803892..ab845317f 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
 	host_t *other = NULL;
 	bool ok = FALSE;
+	auth_method_t method = AUTH_RSA;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 			case HA_ALG_DH:
 				dh_grp = value.u16;
 				break;
+			case HA_AUTH_METHOD:
+				method = value.u16;
 			default:
 				break;
 		}
@@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		{
 			keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
 			shared_key_t *shared = NULL;
-			auth_method_t method = AUTH_RSA;
 
 			if (psk.len)
 			{
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 2854ab76d..aae402d50 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
 METHOD(listener_t, ike_keys, bool,
 	private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
-	shared_key_t *shared)
+	shared_key_t *shared, auth_method_t method)
 {
 	ha_message_t *m;
 	chunk_t secret;
@@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool,
 		{
 			m->add_attribute(m, HA_PSK, shared->get_key(shared));
 		}
+		else
+		{
+			m->add_attribute(m, HA_AUTH_METHOD, method);
+		}
 	}
 	m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
 
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 7891b1654..28b7b0d5b 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void,
 		case HA_OUTBOUND_CPI:
 		case HA_SEGMENT:
 		case HA_ESN:
+		case HA_AUTH_METHOD:
 		{
 			uint16_t val;
 
@@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		case HA_OUTBOUND_CPI:
 		case HA_SEGMENT:
 		case HA_ESN:
+		case HA_AUTH_METHOD:
 		{
 			if (this->buf.len < sizeof(uint16_t))
 			{
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 3e43dc8dc..3c0058d99 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -156,6 +156,8 @@ enum ha_message_attribute_t {
 	HA_PSK,
 	/** chunk_t, IV for next IKEv1 message */
 	HA_IV,
+	/** uint16_t, auth_method_t for IKEv1 key derivation */
+	HA_AUTH_METHOD,
 };
 
 /**
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index 0a407f9ef..153534915 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -433,6 +433,12 @@ METHOD(ha_segments_t, is_active, bool,
 	return (this->active & SEGMENTS_BIT(segment)) != 0;
 }
 
+METHOD(ha_segments_t, count, u_int,
+	private_ha_segments_t *this)
+{
+	return this->count;
+}
+
 METHOD(ha_segments_t, destroy, void,
 	private_ha_segments_t *this)
 {
@@ -459,6 +465,7 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 			.deactivate = _deactivate,
 			.handle_status = _handle_status,
 			.is_active = _is_active,
+			.count = _count,
 			.destroy = _destroy,
 		},
 		.socket = socket,
diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h
index 10d5812c6..bc96a8d3e 100644
--- a/src/libcharon/plugins/ha/ha_segments.h
+++ b/src/libcharon/plugins/ha/ha_segments.h
@@ -83,6 +83,13 @@ struct ha_segments_t {
 	bool (*is_active)(ha_segments_t *this, u_int segment);
 
 	/**
+	 * Return the number of segments
+	 *
+	 * @return			number of segments
+	 */
+	u_int (*count)(ha_segments_t *this);
+
+	/**
 	 * Destroy a ha_segments_t.
 	 */
 	void (*destroy)(ha_segments_t *this);
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 1292e0895..40fff7e05 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2257,6 +2257,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	uint32_t replay_esn_len = 0;
 	kernel_ipsec_del_sa_t del = { 0 };
 	status_t status = FAILED;
+	traffic_selector_t *ts;
 	char markstr[32] = "";
 
 	/* if IPComp is used, we first update the IPComp SA */
@@ -2360,10 +2361,26 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	if (!id->src->ip_equals(id->src, data->new_src))
 	{
 		host2xfrm(data->new_src, &sa->saddr);
+
+		ts = selector2ts(&sa->sel, TRUE);
+		if (ts && ts->is_host(ts, id->src))
+		{
+			ts->set_address(ts, data->new_src);
+			ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s);
+		}
+		DESTROY_IF(ts);
 	}
 	if (!id->dst->ip_equals(id->dst, data->new_dst))
 	{
 		host2xfrm(data->new_dst, &sa->id.daddr);
+
+		ts = selector2ts(&sa->sel, FALSE);
+		if (ts && ts->is_host(ts, id->dst))
+		{
+			ts->set_address(ts, data->new_dst);
+			ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d);
+		}
+		DESTROY_IF(ts);
 	}
 
 	rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info);
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index dbe409a62..37170a310 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -1287,20 +1287,27 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
 		return;
 	}
 
-	index = response.x_policy->sadb_x_policy_id;
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies, policy_entry_match_byindex,
-								  (void**)&policy, index) &&
-		policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
+	if (response.x_sa2)
 	{
-		reqid = sa->sa->cfg.reqid;
+		reqid = response.x_sa2->sadb_x_sa2_reqid;
 	}
 	else
 	{
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
-					  "matching policy found", index);
+		index = response.x_policy->sadb_x_policy_id;
+		this->mutex->lock(this->mutex);
+		if (this->policies->find_first(this->policies, policy_entry_match_byindex,
+									   (void**)&policy, index) &&
+			policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
+		{
+			reqid = sa->sa->cfg.reqid;
+		}
+		else
+		{
+			DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
+				 "matching policy found", index);
+		}
+		this->mutex->unlock(this->mutex);
 	}
-	this->mutex->unlock(this->mutex);
 
 	src_ts = sadb_address2ts(response.src);
 	dst_ts = sadb_address2ts(response.dst);
diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h
index d69597881..964752f53 100644
--- a/src/libcharon/plugins/vici/libvici.h
+++ b/src/libcharon/plugins/vici/libvici.h
@@ -86,6 +86,10 @@
 
 #include <stdio.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /**
  * Opaque vici connection contex.
  */
@@ -465,4 +469,8 @@ void vici_init();
  */
 void vici_deinit();
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /** LIBVICI_H_ @}*/
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 10c62dc89..ace7a4528 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -733,7 +733,7 @@ CALLBACK(parse_ts, bool,
 		if (host_create_from_range(buf, &lower, &upper))
 		{
 			type = (lower->get_family(lower) == AF_INET) ?
-						 		TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+								TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
 			ts = traffic_selector_create_from_bytes(proto, type,
 								lower->get_address(lower), from,
 								upper->get_address(upper), to);
@@ -2494,7 +2494,10 @@ CALLBACK(config_sn, bool,
 	if (peer.mediated_by)
 	{
 		cfg.mediated_by = peer.mediated_by;
-		cfg.peer_id = peer.peer_id->clone(peer.peer_id);
+		if (peer.peer_id)
+		{
+			cfg.peer_id = peer.peer_id->clone(peer.peer_id);
+		}
 	}
 #endif /* ME */
 	peer_cfg = peer_cfg_create(name, ike_cfg, &cfg);
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index 998af0d3f..e2a7f6b20 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -53,6 +53,36 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
+METHOD(adopt_children_job_t, queue_task, void,
+	private_adopt_children_job_t *this, task_t *task)
+{
+	array_insert_create(&this->tasks, ARRAY_TAIL, task);
+}
+
+/**
+ * Adopt child-creating tasks from the given IKE_SA
+ */
+static u_int adopt_child_tasks(private_adopt_children_job_t *this,
+							   ike_sa_t *ike_sa, task_queue_t queue)
+{
+	enumerator_t *tasks;
+	task_t *task;
+	u_int count = 0;
+
+	tasks = ike_sa->create_task_enumerator(ike_sa, queue);
+	while (tasks->enumerate(tasks, &task))
+	{
+		if (task->get_type(task) == TASK_QUICK_MODE)
+		{
+			ike_sa->remove_task(ike_sa, tasks);
+			queue_task(this, task);
+			count++;
+		}
+	}
+	tasks->destroy(tasks);
+	return count;
+}
+
 METHOD(job_t, execute, job_requeue_t,
 	private_adopt_children_job_t *this)
 {
@@ -65,6 +95,7 @@ METHOD(job_t, execute, job_requeue_t,
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	uint32_t unique;
+	u_int tasks = 0;
 
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
 	if (ike_sa)
@@ -127,11 +158,17 @@ METHOD(job_t, execute, job_requeue_t,
 					 * it does trigger an assign_vips(FALSE) event, so we also
 					 * trigger one below */
 					ike_sa->clear_virtual_ips(ike_sa, FALSE);
-					if (children->get_count(children) || vips->get_count(vips))
+
+					tasks += adopt_child_tasks(this, ike_sa, TASK_QUEUE_ACTIVE);
+					tasks += adopt_child_tasks(this, ike_sa, TASK_QUEUE_QUEUED);
+
+					if (children->get_count(children) || tasks ||
+						vips->get_count(vips))
 					{
 						DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
-							 "adopting %d children and %d virtual IPs",
-							 children->get_count(children), vips->get_count(vips));
+							 "adopting %d children, %d child tasks, and %d "
+							 "virtual IPs", children->get_count(children),
+							 tasks, vips->get_count(vips));
 					}
 					if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
 					{
@@ -152,7 +189,8 @@ METHOD(job_t, execute, job_requeue_t,
 					charon->ike_sa_manager->checkin(
 											charon->ike_sa_manager, ike_sa);
 				}
-				if (children->get_count(children) || vips->get_count(vips))
+				if (children->get_count(children) || tasks ||
+					vips->get_count(vips))
 				{
 					break;
 				}
@@ -237,12 +275,6 @@ METHOD(job_t, get_priority, job_priority_t,
 	return JOB_PRIO_HIGH;
 }
 
-METHOD(adopt_children_job_t, queue_task, void,
-	private_adopt_children_job_t *this, task_t *task)
-{
-	array_insert_create(&this->tasks, ARRAY_TAIL, task);
-}
-
 /**
  * See header
  */
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index c33398bee..bdc96a4bc 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -978,7 +978,7 @@ static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa,
 }
 
 /**
- * Install inbound policie(s): in, fwd
+ * Install inbound policies: in, fwd
  */
 static status_t install_policies_inbound(private_child_sa_t *this,
 	host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
@@ -1012,7 +1012,7 @@ static status_t install_policies_inbound(private_child_sa_t *this,
 }
 
 /**
- * Install outbound policie(s): out, [fwd]
+ * Install outbound policies: out, [fwd]
  */
 static status_t install_policies_outbound(private_child_sa_t *this,
 	host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a4ad866d3..3d576a0e8 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1996,8 +1996,7 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
 	/* adopt any active or queued CHILD-creating tasks */
 	if (status != DESTROY_ME)
 	{
-		task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
-		other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
+		new->adopt_child_tasks(new, &this->public);
 		if (new->get_state(new) == IKE_CREATED)
 		{
 			status = new->initiate(new, NULL, 0, NULL, NULL);
@@ -2404,7 +2403,9 @@ METHOD(ike_sa_t, retransmit, status_t,
 			}
 			case IKE_DELETING:
 				DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
-				if (has_condition(this, COND_REAUTHENTICATING))
+				if (has_condition(this, COND_REAUTHENTICATING) &&
+					!lib->settings->get_bool(lib->settings,
+										"%s.make_before_break", FALSE, lib->ns))
 				{
 					DBG1(DBG_IKE, "delete during reauthentication failed, "
 						 "trying to reestablish IKE_SA anyway");
@@ -2719,6 +2720,12 @@ METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
 	return this->task_manager->create_task_enumerator(this->task_manager, queue);
 }
 
+METHOD(ike_sa_t, remove_task, void,
+	private_ike_sa_t *this, enumerator_t *enumerator)
+{
+	return this->task_manager->remove_task(this->task_manager, enumerator);
+}
+
 METHOD(ike_sa_t, flush_queue, void,
 	private_ike_sa_t *this, task_queue_t queue)
 {
@@ -2737,6 +2744,36 @@ METHOD(ike_sa_t, queue_task_delayed, void,
 	this->task_manager->queue_task_delayed(this->task_manager, task, delay);
 }
 
+/**
+ * Migrate and queue child-creating tasks from another IKE_SA
+ */
+static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
+								task_queue_t queue)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	enumerator = other->create_task_enumerator(other, queue);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE ||
+			task->get_type(task) == TASK_QUICK_MODE)
+		{
+			other->remove_task(other, enumerator);
+			task->migrate(task, &this->public);
+			queue_task(this, task);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(ike_sa_t, adopt_child_tasks, void,
+	private_ike_sa_t *this, ike_sa_t *other)
+{
+	migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
+	migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
+}
+
 METHOD(ike_sa_t, inherit_pre, void,
 	private_ike_sa_t *this, ike_sa_t *other_public)
 {
@@ -3052,9 +3089,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.create_attribute_enumerator = _create_attribute_enumerator,
 			.set_kmaddress = _set_kmaddress,
 			.create_task_enumerator = _create_task_enumerator,
+			.remove_task = _remove_task,
 			.flush_queue = _flush_queue,
 			.queue_task = _queue_task,
 			.queue_task_delayed = _queue_task_delayed,
+			.adopt_child_tasks = _adopt_child_tasks,
 #ifdef ME
 			.act_as_mediation_server = _act_as_mediation_server,
 			.get_server_reflexive_host = _get_server_reflexive_host,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index c1d3e1d7a..be480eac8 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1125,6 +1125,16 @@ struct ike_sa_t {
 	enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
 
 	/**
+	 * Remove the task the given enumerator points to.
+	 *
+	 * @note This should be used with caution, in partciular, for tasks in the
+	 * active and passive queues.
+	 *
+	 * @param enumerator	enumerator created with the method above
+	 */
+	void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
+
+	/**
 	 * Flush a task queue, cancelling all tasks in it.
 	 *
 	 * @param queue			queue type to flush
@@ -1148,6 +1158,13 @@ struct ike_sa_t {
 	void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
 
 	/**
+	 * Adopt child creating tasks from the given IKE_SA.
+	 *
+	 * @param other			other IKE_SA to adopt tasks from
+	 */
+	void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other);
+
+	/**
 	 * Inherit required attributes to new SA before rekeying.
 	 *
 	 * Some properties of the SA must be applied before starting IKE_SA
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index c50c70860..3bac4b109 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1967,6 +1967,8 @@ static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new)
 	}
 	enumerator->destroy(enumerator);
 
+	new->adopt_child_tasks(new, old);
+
 	enumerator = old->create_virtual_ip_enumerator(old, FALSE);
 	while (enumerator->enumerate(enumerator, &vip))
 	{
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index b99d75142..ac2899f11 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -251,7 +251,8 @@ METHOD(phase1_t, derive_keys, bool,
 		return FALSE;
 	}
 	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
-						  this->nonce_i, this->nonce_r, NULL, shared_key);
+						  this->nonce_i, this->nonce_r, NULL, shared_key,
+						  method);
 	DESTROY_IF(shared_key);
 	return TRUE;
 }
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 5f6c3bbe8..f76471e78 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2018 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -544,20 +544,20 @@ METHOD(task_manager_t, initiate, status_t,
 					new_mid = TRUE;
 					break;
 				}
-				if (!mode_config_expected(this) &&
-					activate_task(this, TASK_QUICK_MODE))
+				if (activate_task(this, TASK_ISAKMP_DPD))
 				{
-					exchange = QUICK_MODE;
+					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_INFORMATIONAL))
+				if (!mode_config_expected(this) &&
+					activate_task(this, TASK_QUICK_MODE))
 				{
-					exchange = INFORMATIONAL_V1;
+					exchange = QUICK_MODE;
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_ISAKMP_DPD))
+				if (activate_task(this, TASK_INFORMATIONAL))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
@@ -1121,7 +1121,15 @@ static status_t process_request(private_task_manager_t *this,
 		}
 	}
 	else
-	{	/* We don't send a response, so don't retransmit one if we get
+	{
+		if (this->responding.retransmitted > 1)
+		{
+			packet_t *packet = NULL;
+			array_get(this->responding.packets, 0, &packet);
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED,
+							   packet);
+		}
+		/* We don't send a response, so don't retransmit one if we get
 		 * the same message again. */
 		clear_packets(this->responding.packets);
 	}
@@ -1883,39 +1891,6 @@ METHOD(task_manager_t, adopt_tasks, void,
 	}
 }
 
-/**
- * Migrates child-creating tasks from src to dst
- */
-static void migrate_child_tasks(private_task_manager_t *this,
-								linked_list_t *src, linked_list_t *dst)
-{
-	enumerator_t *enumerator;
-	task_t *task;
-
-	enumerator = src->create_enumerator(src);
-	while (enumerator->enumerate(enumerator, &task))
-	{
-		if (task->get_type(task) == TASK_QUICK_MODE)
-		{
-			src->remove_at(src, enumerator);
-			task->migrate(task, this->ike_sa);
-			dst->insert_last(dst, task);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-METHOD(task_manager_t, adopt_child_tasks, void,
-	private_task_manager_t *this, task_manager_t *other_public)
-{
-	private_task_manager_t *other = (private_task_manager_t*)other_public;
-
-	/* move active child tasks from other to this */
-	migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
-	/* do the same for queued tasks */
-	migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
-}
-
 METHOD(task_manager_t, busy, bool,
 	private_task_manager_t *this)
 {
@@ -1976,19 +1951,86 @@ METHOD(task_manager_t, reset, void,
 	}
 }
 
+/**
+ * Data for a task queue enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	task_queue_t queue;
+	enumerator_t *inner;
+} task_enumerator_t;
+
+METHOD(enumerator_t, task_enumerator_destroy, void,
+	task_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+METHOD(enumerator_t, task_enumerator_enumerate, bool,
+	task_enumerator_t *this, va_list args)
+{
+	task_t **task;
+
+	VA_ARGS_VGET(args, task);
+	return this->inner->enumerate(this->inner, task);
+}
+
 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
 	private_task_manager_t *this, task_queue_t queue)
 {
+	task_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _task_enumerator_enumerate,
+			.destroy = _task_enumerator_destroy,
+		},
+		.queue = queue,
+	);
 	switch (queue)
 	{
 		case TASK_QUEUE_ACTIVE:
-			return this->active_tasks->create_enumerator(this->active_tasks);
+			enumerator->inner = this->active_tasks->create_enumerator(
+														this->active_tasks);
+			break;
+		case TASK_QUEUE_PASSIVE:
+			enumerator->inner = this->passive_tasks->create_enumerator(
+														this->passive_tasks);
+			break;
+		case TASK_QUEUE_QUEUED:
+			enumerator->inner = this->queued_tasks->create_enumerator(
+														this->queued_tasks);
+			break;
+		default:
+			enumerator->inner = enumerator_create_empty();
+			break;
+	}
+	return &enumerator->public;
+}
+
+METHOD(task_manager_t, remove_task, void,
+	private_task_manager_t *this, enumerator_t *enumerator_public)
+{
+	task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public;
+
+	switch (enumerator->queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			this->active_tasks->remove_at(this->active_tasks,
+										  enumerator->inner);
+			break;
 		case TASK_QUEUE_PASSIVE:
-			return this->passive_tasks->create_enumerator(this->passive_tasks);
+			this->passive_tasks->remove_at(this->passive_tasks,
+										   enumerator->inner);
+			break;
 		case TASK_QUEUE_QUEUED:
-			return this->queued_tasks->create_enumerator(this->queued_tasks);
+			this->queued_tasks->remove_at(this->queued_tasks,
+										  enumerator->inner);
+			break;
 		default:
-			return enumerator_create_empty();
+			break;
 	}
 }
 
@@ -2039,9 +2081,9 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 				.get_mid = _get_mid,
 				.reset = _reset,
 				.adopt_tasks = _adopt_tasks,
-				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.remove_task = _remove_task,
 				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
index 7dbbdc92f..b652d926f 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
@@ -287,7 +287,6 @@ METHOD(task_t, process_i, status_t,
 				default:
 					return FAILED;
 			}
-			break;
 		}
 		case AGGRESSIVE:
 		{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
index 58f856e3f..566bfe83a 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -605,7 +605,6 @@ METHOD(task_t, process_i, status_t,
 				default:
 					return FAILED;
 			}
-			break;
 		}
 		case AGGRESSIVE:
 		{
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 007e94d96..b0a42b8bd 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1110,14 +1110,17 @@ METHOD(task_t, process_r, status_t,
 				this->tsi = select_ts(this, FALSE, tsi);
 				this->tsr = select_ts(this, TRUE, tsr);
 			}
-			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
-			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
 			if (!this->config || !this->tsi || !this->tsr ||
 				this->mode != this->config->get_mode(this->config))
 			{
-				DBG1(DBG_IKE, "no matching CHILD_SA config found");
+				DBG1(DBG_IKE, "no matching CHILD_SA config found for "
+					 "%#R === %#R", tsi, tsr);
+				tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+				tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
 				return send_notify(this, INVALID_ID_INFORMATION);
 			}
+			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
 
 			if (this->config->has_option(this->config, OPT_IPCOMP))
 			{
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 1fcef03cc..97d33a89e 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -111,6 +111,40 @@ static bool build_signature_auth_data(chunk_t *auth_data,
 }
 
 /**
+ * Check if the given scheme is supported by the key and, if so, add it to the
+ * first array (we add the scheme supported by the key in case the parameters
+ * are different)
+ */
+static void add_scheme_if_supported(array_t *selected, array_t *supported,
+									signature_params_t *config)
+{
+	signature_params_t *sup;
+	int i;
+
+	if (!supported)
+	{
+		array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
+		return;
+	}
+
+	for (i = 0; i < array_count(supported); i++)
+	{
+		array_get(supported, i, &sup);
+		if (signature_params_comply(sup, config))
+		{
+			array_insert(selected, ARRAY_TAIL, signature_params_clone(sup));
+			return;
+		}
+	}
+}
+
+CALLBACK(destroy_scheme, void,
+	signature_params_t *params, int idx, void *user)
+{
+	signature_params_destroy(params);
+}
+
+/**
  * Selects possible signature schemes based on our configuration, the other
  * peer's capabilities and the private key
  */
@@ -123,10 +157,32 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 	auth_rule_t rule;
 	key_type_t key_type;
 	bool have_config = FALSE;
-	array_t *selected;
+	array_t *supported = NULL, *selected;
 
 	selected = array_create(0, 0);
 	key_type = private->get_type(private);
+
+	if (private->supported_signature_schemes)
+	{
+		enumerator = private->supported_signature_schemes(private);
+		while (enumerator->enumerate(enumerator, &config))
+		{
+			if (keymat->hash_algorithm_supported(keymat,
+								hasher_from_signature_scheme(config->scheme,
+															 config->params)))
+			{
+				array_insert_create(&supported, ARRAY_TAIL,
+									signature_params_clone(config));
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (!supported)
+		{
+			return selected;
+		}
+	}
+
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &rule, &config))
 	{
@@ -134,21 +190,32 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 		{
 			continue;
 		}
-		have_config = TRUE;
 		if (key_type == key_type_from_signature_scheme(config->scheme) &&
 			keymat->hash_algorithm_supported(keymat,
 								hasher_from_signature_scheme(config->scheme,
 															 config->params)))
 		{
-			array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
+			add_scheme_if_supported(selected, supported, config);
 		}
+		have_config = TRUE;
 	}
 	enumerator->destroy(enumerator);
 
-	if (!have_config)
+	if (have_config)
 	{
-		/* if no specific configuration, find schemes appropriate for the key
-		 * and supported by the other peer */
+		array_destroy_function(supported, destroy_scheme, NULL);
+	}
+	else
+	{
+		/* if we have no config, return either whatever schemes the key (and
+		 * peer) support or.. */
+		if (supported)
+		{
+			array_destroy(selected);
+			return supported;
+		}
+
+		/* ...find schemes appropriate for the key and supported by the peer */
 		enumerator = signature_schemes_for_key(key_type,
 											   private->get_keysize(private));
 		while (enumerator->enumerate(enumerator, &config))
@@ -207,12 +274,6 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 	return selected;
 }
 
-CALLBACK(destroy_scheme, void,
-	signature_params_t *params, int idx, void *user)
-{
-	signature_params_destroy(params);
-}
-
 /**
  * Adds the given auth data to the message, either in an AUTH payload or
  * a NO_PPK_AUTH notify.
@@ -310,9 +371,9 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
 		if (params->scheme == SIGN_RSA_EMSA_PSS)
 		{
 			rsa_pss_params_t *pss = params->params;
-			DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N %s", id,
-				 signature_scheme_names, params->scheme,
-				 hash_algorithm_short_names_upper, pss->hash,
+			DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N_SALT_%zd "
+				 "%s", id, signature_scheme_names, params->scheme,
+				 hash_algorithm_short_names_upper, pss->hash, pss->salt_len,
 				 status == SUCCESS ? "successful" : "failed");
 		}
 		else
@@ -586,9 +647,9 @@ METHOD(authenticator_t, process, status_t,
 			else if (params->scheme == SIGN_RSA_EMSA_PSS)
 			{
 				rsa_pss_params_t *pss = params->params;
-				DBG1(DBG_IKE, "authentication of '%Y' with %N_%N successful",
-					 id, signature_scheme_names, params->scheme,
-					 hash_algorithm_short_names_upper, pss->hash);
+				DBG1(DBG_IKE, "authentication of '%Y' with %N_%N_SALT_%zd "
+					 "successful", id, signature_scheme_names, params->scheme,
+					 hash_algorithm_short_names_upper, pss->hash, pss->salt_len);
 			}
 			else
 			{
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 910c77a2d..e9142d79b 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1459,6 +1459,59 @@ static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
 }
 
 /**
+ * Check whether we should reject the given request message
+ */
+static inline bool reject_request(private_task_manager_t *this,
+								  message_t *msg)
+{
+	ike_sa_state_t state;
+	exchange_type_t type;
+	ike_sa_id_t *ike_sa_id;
+	bool reject = FALSE;
+
+	state = this->ike_sa->get_state(this->ike_sa);
+	type = msg->get_exchange_type(msg);
+
+	/* reject initial messages if not received in specific states */
+	switch (type)
+	{
+		case IKE_SA_INIT:
+			reject = state != IKE_CREATED;
+			break;
+		case IKE_AUTH:
+			reject = state != IKE_CONNECTING;
+			break;
+		default:
+			break;
+	}
+
+	if (!reject)
+	{
+		switch (state)
+		{
+			/* after rekeying we only expect a DELETE in an INFORMATIONAL */
+			case IKE_REKEYED:
+				reject = type != INFORMATIONAL;
+				break;
+			/* also reject requests for half-open IKE_SAs as initiator */
+			case IKE_CREATED:
+			case IKE_CONNECTING:
+				ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+				reject = ike_sa_id->is_initiator(ike_sa_id);
+				break;
+			default:
+				break;
+		}
+	}
+
+	if (reject)
+	{
+		DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", exchange_type_names,
+			 type, ike_sa_state_names, state);
+	}
+	return reject;
+}
+/**
  * Check if a message with message ID 0 looks like it is used to synchronize
  * the message IDs and we are prepared to process it.
  *
@@ -1483,8 +1536,6 @@ METHOD(task_manager_t, process_message, status_t,
 	status_t status;
 	uint32_t mid;
 	bool schedule_delete_job = FALSE;
-	ike_sa_state_t state;
-	exchange_type_t type;
 
 	charon->bus->message(charon->bus, msg, TRUE, FALSE);
 	status = parse_message(this, msg);
@@ -1517,24 +1568,14 @@ METHOD(task_manager_t, process_message, status_t,
 		/* add a timeout if peer does not establish it completely */
 		schedule_delete_job = TRUE;
 	}
-	this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
-								time_monotonic(NULL));
 
 	mid = msg->get_message_id(msg);
 	if (msg->get_request(msg))
 	{
 		if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
 		{
-			/* reject initial messages if not received in specific states,
-			 * after rekeying we only expect a DELETE in an INFORMATIONAL */
-			type = msg->get_exchange_type(msg);
-			state = this->ike_sa->get_state(this->ike_sa);
-			if ((type == IKE_SA_INIT && state != IKE_CREATED) ||
-				(type == IKE_AUTH && state != IKE_CONNECTING) ||
-				(state == IKE_REKEYED && type != INFORMATIONAL))
+			if (reject_request(this, msg))
 			{
-				DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
-					 exchange_type_names, type, ike_sa_state_names, state);
 				return FAILED;
 			}
 			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
@@ -1544,6 +1585,11 @@ METHOD(task_manager_t, process_message, status_t,
 			status = handle_fragment(this, &this->responding.defrag, msg);
 			if (status != SUCCESS)
 			{
+				if (status == NEED_MORE)
+				{
+					this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+												time_monotonic(NULL));
+				}
 				return status;
 			}
 			charon->bus->message(charon->bus, msg, TRUE, TRUE);
@@ -1554,6 +1600,8 @@ METHOD(task_manager_t, process_message, status_t,
 			switch (process_request(this, msg))
 			{
 				case SUCCESS:
+					this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+												time_monotonic(NULL));
 					this->responding.mid++;
 					break;
 				case NEED_MORE:
@@ -1570,10 +1618,17 @@ METHOD(task_manager_t, process_message, status_t,
 			status = handle_fragment(this, &this->responding.defrag, msg);
 			if (status != SUCCESS)
 			{
+				if (status == NEED_MORE)
+				{
+					this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+												time_monotonic(NULL));
+				}
 				return status;
 			}
 			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
 				 "retransmitting response", mid);
+			this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+										time_monotonic(NULL));
 			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			send_packets(this, this->responding.packets,
 						 msg->get_destination(msg), msg->get_source(msg));
@@ -1603,6 +1658,11 @@ METHOD(task_manager_t, process_message, status_t,
 			status = handle_fragment(this, &this->initiating.defrag, msg);
 			if (status != SUCCESS)
 			{
+				if (status == NEED_MORE)
+				{
+					this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+												time_monotonic(NULL));
+				}
 				return status;
 			}
 			charon->bus->message(charon->bus, msg, TRUE, TRUE);
@@ -1615,6 +1675,8 @@ METHOD(task_manager_t, process_message, status_t,
 				flush(this);
 				return DESTROY_ME;
 			}
+			this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+										time_monotonic(NULL));
 		}
 		else
 		{
@@ -2014,61 +2076,6 @@ METHOD(task_manager_t, adopt_tasks, void,
 	}
 }
 
-/**
- * Migrates child-creating tasks from other to this
- */
-static void migrate_child_tasks(private_task_manager_t *this,
-								private_task_manager_t *other,
-								task_queue_t queue)
-{
-	enumerator_t *enumerator;
-	array_t *array;
-	task_t *task;
-
-	switch (queue)
-	{
-		case TASK_QUEUE_ACTIVE:
-			array = other->active_tasks;
-			break;
-		case TASK_QUEUE_QUEUED:
-			array = other->queued_tasks;
-			break;
-		default:
-			return;
-	}
-
-	enumerator = array_create_enumerator(array);
-	while (enumerator->enumerate(enumerator, &task))
-	{
-		queued_task_t *queued = NULL;
-
-		if (queue == TASK_QUEUE_QUEUED)
-		{
-			queued = (queued_task_t*)task;
-			task = queued->task;
-		}
-		if (task->get_type(task) == TASK_CHILD_CREATE)
-		{
-			array_remove_at(array, enumerator);
-			task->migrate(task, this->ike_sa);
-			queue_task(this, task);
-			free(queued);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-METHOD(task_manager_t, adopt_child_tasks, void,
-	private_task_manager_t *this, task_manager_t *other_public)
-{
-	private_task_manager_t *other = (private_task_manager_t*)other_public;
-
-	/* move active child tasks from other to this */
-	migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
-	/* do the same for queued tasks */
-	migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
-}
-
 METHOD(task_manager_t, busy, bool,
 	private_task_manager_t *this)
 {
@@ -2124,17 +2131,39 @@ METHOD(task_manager_t, reset, void,
 	this->reset = TRUE;
 }
 
-CALLBACK(filter_queued, bool,
-	void *unused, enumerator_t *orig, va_list args)
-{
+/**
+ * Data for a task queue enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	task_queue_t queue;
+	enumerator_t *inner;
 	queued_task_t *queued;
+} task_enumerator_t;
+
+METHOD(enumerator_t, task_enumerator_destroy, void,
+	task_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+METHOD(enumerator_t, task_enumerator_enumerate, bool,
+	task_enumerator_t *this, va_list args)
+{
 	task_t **task;
 
 	VA_ARGS_VGET(args, task);
-
-	if (orig->enumerate(orig, &queued))
+	if (this->queue == TASK_QUEUE_QUEUED)
+	{
+		if (this->inner->enumerate(this->inner, &this->queued))
+		{
+			*task = this->queued->task;
+			return TRUE;
+		}
+	}
+	else if (this->inner->enumerate(this->inner, task))
 	{
-		*task = queued->task;
 		return TRUE;
 	}
 	return FALSE;
@@ -2143,18 +2172,54 @@ CALLBACK(filter_queued, bool,
 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
 	private_task_manager_t *this, task_queue_t queue)
 {
+	task_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _task_enumerator_enumerate,
+			.destroy = _task_enumerator_destroy,
+		},
+		.queue = queue,
+	);
 	switch (queue)
 	{
 		case TASK_QUEUE_ACTIVE:
-			return array_create_enumerator(this->active_tasks);
+			enumerator->inner = array_create_enumerator(this->active_tasks);
+			break;
 		case TASK_QUEUE_PASSIVE:
-			return array_create_enumerator(this->passive_tasks);
+			enumerator->inner = array_create_enumerator(this->passive_tasks);
+			break;
 		case TASK_QUEUE_QUEUED:
-			return enumerator_create_filter(
-									array_create_enumerator(this->queued_tasks),
-									filter_queued, NULL, NULL);
+			enumerator->inner = array_create_enumerator(this->queued_tasks);
+			break;
 		default:
-			return enumerator_create_empty();
+			enumerator->inner = enumerator_create_empty();
+			break;
+	}
+	return &enumerator->public;
+}
+
+METHOD(task_manager_t, remove_task, void,
+	private_task_manager_t *this, enumerator_t *enumerator_public)
+{
+	task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public;
+
+	switch (enumerator->queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			array_remove_at(this->active_tasks, enumerator->inner);
+			break;
+		case TASK_QUEUE_PASSIVE:
+			array_remove_at(this->passive_tasks, enumerator->inner);
+			break;
+		case TASK_QUEUE_QUEUED:
+			array_remove_at(this->queued_tasks, enumerator->inner);
+			free(enumerator->queued);
+			enumerator->queued = NULL;
+			break;
+		default:
+			break;
 	}
 }
 
@@ -2204,9 +2269,9 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 				.get_mid = _get_mid,
 				.reset = _reset,
 				.adopt_tasks = _adopt_tasks,
-				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.remove_task = _remove_task,
 				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 6c8b29018..0e3711898 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -174,6 +174,11 @@ static void install_outbound(private_child_delete_t *this,
 	linked_list_t *my_ts, *other_ts;
 	status_t status;
 
+	if (!spi)
+	{
+		return;
+	}
+
 	child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
 										  spi, FALSE);
 	if (!child_sa)
@@ -312,7 +317,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 	child_sa_t *child_sa;
 	child_cfg_t *child_cfg;
 	protocol_id_t protocol;
-	uint32_t spi, reqid, rekey_spi;
+	uint32_t spi, reqid;
 	action_t action;
 	status_t status = SUCCESS;
 	time_t now, expire;
@@ -335,11 +340,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 		}
 		else
 		{
-			rekey_spi = child_sa->get_rekey_spi(child_sa);
-			if (rekey_spi)
-			{
-				install_outbound(this, protocol, rekey_spi);
-			}
+			install_outbound(this, protocol, child_sa->get_rekey_spi(child_sa));
 			/* for rekeyed CHILD_SAs we uninstall the outbound SA but don't
 			 * immediately destroy it, by default, so we can process delayed
 			 * packets */
@@ -459,6 +460,17 @@ METHOD(task_t, build_i, status_t,
 		this->spi = child_sa->get_spi(child_sa, TRUE);
 	}
 
+	if (this->expired && child_sa->get_state(child_sa) == CHILD_REKEYED)
+	{	/* the peer was expected to delete this SA, but if we send a DELETE
+		 * we might cause a collision there if the CREATE_CHILD_SA response
+		 * is delayed (the peer wouldn't know if we deleted this SA due to an
+		 * expire or because of a forced delete by the user and might then
+		 * ignore the CREATE_CHILD_SA response once it arrives) */
+		child_sa->set_state(child_sa, CHILD_DELETED);
+		install_outbound(this, this->protocol,
+						 child_sa->get_rekey_spi(child_sa));
+	}
+
 	if (child_sa->get_state(child_sa) == CHILD_DELETED)
 	{	/* DELETEs for this CHILD_SA were already exchanged, but it was not yet
 		 * destroyed to allow delayed packets to get processed */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 307d99264..b570904e2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -773,7 +773,7 @@ static bool derive_keys(private_ike_init_t *this,
 		return FALSE;
 	}
 	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
-						  nonce_i, nonce_r, this->old_sa, NULL);
+						  nonce_i, nonce_r, this->old_sa, NULL, AUTH_NONE);
 	return TRUE;
 }
 
@@ -890,6 +890,20 @@ METHOD(task_t, pre_process_i, status_t,
 
 			switch (type)
 			{
+				case COOKIE:
+				{
+					chunk_t cookie;
+
+					cookie = notify->get_notification_data(notify);
+					if (chunk_equals(cookie, this->cookie))
+					{
+						DBG1(DBG_IKE, "ignore response with duplicate COOKIE "
+							 "notify");
+						enumerator->destroy(enumerator);
+						return FAILED;
+					}
+					break;
+				}
 				case REDIRECT:
 				{
 					identification_t *gateway;
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 9545da4f3..c357d5035 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2016 Tobias Brunner
+ * Copyright (C) 2013-2018 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -228,13 +228,6 @@ struct task_manager_t {
 	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
 
 	/**
-	 * Migrate all active or queued CHILD_SA-creating tasks from other to this.
-	 *
-	 * @param other			manager which gives away its tasks
-	 */
-	void (*adopt_child_tasks) (task_manager_t *this, task_manager_t *other);
-
-	/**
 	 * Increment a message ID counter, in- or outbound.
 	 *
 	 * If a message is processed outside of the manager, this call increments
@@ -285,6 +278,16 @@ struct task_manager_t {
 											task_queue_t queue);
 
 	/**
+	 * Remove the task the given enumerator points to.
+	 *
+	 * @note This should be used with caution, in partciular, for tasks in the
+	 * active and passive queues.
+	 *
+	 * @param enumerator	enumerator created with the method above
+	 */
+	void (*remove_task)(task_manager_t *this, enumerator_t *enumerator);
+
+	/**
 	 * Flush all tasks, regardless of the queue.
 	 */
 	void (*flush)(task_manager_t *this);
diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c
index 51d577cd8..b9f6ea0bc 100644
--- a/src/libcharon/tests/suites/test_child_rekey.c
+++ b/src/libcharon/tests/suites/test_child_rekey.c
@@ -370,8 +370,8 @@ END_TEST
 
 /**
  * Check that the responder handles hard expires properly while waiting for the
- * delete after a rekeying (e.g. if the initiator of the rekeying fails to
- * delete the CHILD_SA for some reason).
+ * delete after a rekeying (e.g. if the rekey settings are tight or the
+ * CREATE_CHILD_SA response is delayed).
  */
 START_TEST(test_regular_responder_handle_hard_expire)
 {
@@ -405,28 +405,22 @@ START_TEST(test_regular_responder_handle_hard_expire)
 
 	/* we don't expect this to get called anymore */
 	assert_hook_not_called(child_rekey);
-	/* this is similar to a regular delete collision */
-	assert_single_payload(OUT, PLV2_DELETE);
+	/* this is similar to a regular delete collision, but we don't actually
+	 * want to send a delete back as that might conflict with a delayed
+	 * CREATE_CHILD_SA response */
 	call_ikesa(b, delete_child_sa, PROTO_ESP, 2, TRUE);
-	assert_child_sa_state(b, 2, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
-	assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED);
-	/* since the SAs expired they would not actually be installed in the kernel
-	 * anymore and since we have not yet installed a new outbound SA this
-	 * will result in dropped packets and possibly acquires */
-	assert_ipsec_sas_installed(b, 1, 2, 4);
+	assert_child_sa_count(b, 1);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
+	/* the expire causes the outbound SA to get installed */
+	assert_ipsec_sas_installed(b, 3, 4);
 
 	/* INFORMATIONAL { D } --> */
+	assert_no_jobs_scheduled();
 	assert_single_payload(IN, PLV2_DELETE);
 	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
-	assert_child_sa_state(b, 2, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
-	assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED);
-	assert_ipsec_sas_installed(b, 1, 2, 4);
-	/* <-- INFORMATIONAL { D } */
-	assert_single_payload(IN, PLV2_DELETE);
-	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
-	assert_child_sa_state(a, 1, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
-	assert_child_sa_state(a, 3, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
-	assert_ipsec_sas_installed(a, 1, 2, 3, 4);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
+	assert_ipsec_sas_installed(b, 3, 4);
+	assert_scheduler();
 	/* <-- INFORMATIONAL { } */
 	assert_jobs_scheduled(1);
 	assert_message_empty(IN);
@@ -436,23 +430,11 @@ START_TEST(test_regular_responder_handle_hard_expire)
 	assert_child_sa_count(a, 2);
 	assert_ipsec_sas_installed(a, 1, 3, 4);
 	assert_scheduler();
-	/* INFORMATIONAL { } --> */
-	assert_jobs_scheduled(1);
-	assert_message_empty(IN);
-	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
-	assert_child_sa_state(b, 2, CHILD_DELETED, CHILD_OUTBOUND_NONE);
-	assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
-	assert_child_sa_count(b, 2);
-	assert_ipsec_sas_installed(b, 2, 3, 4);
-	assert_scheduler();
 
-	/* simulate the execution of the scheduled jobs */
+	/* simulate the execution of the scheduled job */
 	destroy_rekeyed(a, 1);
 	assert_child_sa_count(a, 1);
 	assert_ipsec_sas_installed(a, 3, 4);
-	destroy_rekeyed(b, 2);
-	assert_child_sa_count(b, 1);
-	assert_ipsec_sas_installed(b, 3, 4);
 
 	/* child_rekey/child_updown */
 	assert_hook();
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 5d5283620..3f8b4c957 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -574,6 +574,24 @@ INSERT INTO products (      /* 96 */
  'Ubuntu 18.04 x86_64'
 );
 
+INSERT INTO products (      /* 97 */
+  name
+) VALUES (
+ 'Debian 9.5 i686'
+);
+
+INSERT INTO products (      /* 98 */
+  name
+) VALUES (
+ 'Debian 9.5 x86_64'
+);
+
+INSERT INTO products (      /* 99 */
+  name
+) VALUES (
+ 'Debian 9.6 x86_64'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -671,7 +689,7 @@ INSERT INTO files (				/*  1 */
 INSERT INTO files (				/*  2 */
   name, dir
 ) VALUES (
- 'libcrypto.so.1.0.0', 11
+ 'libcrypto.so.1.1', 11
 );
 
 INSERT INTO files (				/*  3 */
@@ -683,7 +701,7 @@ INSERT INTO files (				/*  3 */
 INSERT INTO files (				/*  4 */
   name, dir
 ) VALUES (
- 'libssl.so.1.0.0', 11
+ 'libssl.so.1.1', 11
 );
 
 INSERT INTO files (				/*  5 */
@@ -1147,6 +1165,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  4, 97
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   5, 2
 );
 
@@ -1267,6 +1291,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  5, 98
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 99
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   6, 9
 );
 
@@ -1665,13 +1701,13 @@ INSERT INTO policies (			/* 11 */
 INSERT INTO policies (			/*  12 */
   type, name, file, rec_fail, rec_noresult
 ) VALUES (
-  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1', 2, 2, 2
 );
 
 INSERT INTO policies (			/* 13 */
   type, name, file, rec_fail, rec_noresult
 ) VALUES (
-  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.1', 4, 2, 2
 );
 
 INSERT INTO policies (			/* 14 */
diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag
index 6ca455dac..77f00e036 100644
--- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag
+++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <SoftwareIdentity
   name="strongSwan"
-  tagId="strongSwan-5-7-1"
-  version="5.7.1" versionScheme="alphanumeric"
+  tagId="strongSwan-5-7-2"
+  version="5.7.2" versionScheme="alphanumeric"
   xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd">
   <Entity
     name="strongSwan Project"
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
index 89ba86930..51bcdc410 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
@@ -249,8 +249,6 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
 									   os_name.len, os_name.ptr);
 					}
 					break;
-
-					break;
 				}
 				case IETF_ATTR_STRING_VERSION:
 				{
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 265a4a09a..f86f13dcc 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -231,7 +231,6 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
 								reader->destroy(reader);
 								return FAILED;
 						}
-						break;
 					case PT_TLS_SASL_RESULT_MECH_FAILURE:
 					case PT_TLS_SASL_RESULT_FAILURE:
 						/* non-fatal failure, try again */
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 278c67405..b04627e63 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -551,6 +551,7 @@ static signature_params_t *create_rsa_pss_constraint(char *token)
 			.scheme = SIGN_RSA_EMSA_PSS,
 			.params = &pss,
 		};
+		rsa_pss_params_set_salt_len(&pss, 0);
 		params = signature_params_clone(&pss_params);
 	}
 	return params;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 0239ee17e..61dfbbcad 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -73,6 +73,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_SAFE_PRIMES",
 	"BUILD_SHARES",
 	"BUILD_THRESHOLD",
+	"BUILD_EDDSA_PUB",
 	"BUILD_EDDSA_PRIV_ASN1_DER",
 	"BUILD_END",
 );
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 7928ef487..b283bd166 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -156,6 +156,8 @@ enum builder_part_t {
 	BUILD_SHARES,
 	/** minimum number of participating private key shares */
 	BUILD_THRESHOLD,
+	/** EdDSA public key blob */
+	BUILD_EDDSA_PUB,
 	/** DER encoded ASN.1 EdDSA private key */
 	BUILD_EDDSA_PRIV_ASN1_DER,
 	/** end of variable argument builder list */
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index d7cfdd74d..5cf8641ad 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -40,6 +40,19 @@ struct private_key_t {
 	key_type_t (*get_type)(private_key_t *this);
 
 	/**
+	 * Get signature schemes supported by this key.
+	 *
+	 * This is useful for keys that only support certain hash algorithms or
+	 * require specific parameters for RSA/PSS signatures.
+	 *
+	 * @note Implementing this method is optional. If multiple schemes are
+	 * returned, they should be ordered by decreasing preference.
+	 *
+	 * @return			enumerator over signature_params_t*
+	 */
+	enumerator_t *(*supported_signature_schemes)(private_key_t *this);
+
+	/**
 	 * Create a signature over a chunk of data.
 	 *
 	 * @param scheme	signature scheme to use
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 89fa9b348..3ef6981f6 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -250,7 +250,7 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
 #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
 	.hash = HASH_SHA##bits, \
 	.mgf1_hash = HASH_SHA##bits, \
-	.salt_len = RSA_PSS_SALT_LEN_DEFAULT, \
+	.salt_len = HASH_SIZE_SHA##bits, \
 }
 
 PSS_PARAMS(256);
diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index 8f42fb940..d89bd2c96 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -18,22 +18,43 @@
 #include <asn1/oid.h>
 #include <asn1/asn1_parser.h>
 
-/**
- * Determine the salt length in case it is not configured
+/*
+ * Described in header
  */
-static ssize_t rsa_pss_salt_length(rsa_pss_params_t *pss)
+bool rsa_pss_params_set_salt_len(rsa_pss_params_t *params, size_t modbits)
 {
-	ssize_t salt_len = pss->salt_len;
+	size_t hash_len;
 
-	if (salt_len <= RSA_PSS_SALT_LEN_DEFAULT)
+	if (params->salt_len < 0)
 	{
-		salt_len = hasher_hash_size(pss->hash);
-		if (!salt_len)
+		hash_len = hasher_hash_size(params->hash);
+		if (!hash_len)
+		{
+			return FALSE;
+		}
+
+		switch (params->salt_len)
 		{
-			return -1;
+			case RSA_PSS_SALT_LEN_DEFAULT:
+				params->salt_len = hash_len;
+				break;
+			case RSA_PSS_SALT_LEN_MAX:
+				if (modbits)
+				{
+					/* emBits = modBits - 1 */
+					modbits -= 1;
+					/* emLen = ceil(emBits/8) */
+					modbits = (modbits+7) / BITS_PER_BYTE;
+					/* account for 0x01 separator in DB, 0xbc trailing byte */
+					params->salt_len = max(0, (ssize_t)(modbits - hash_len - 2));
+					break;
+				}
+				return FALSE;
+			default:
+				return FALSE;
 		}
 	}
-	return salt_len;
+	return TRUE;
 }
 
 /**
@@ -68,8 +89,7 @@ static bool compare_params(signature_params_t *a, signature_params_t *b,
 
 				return pss_a->hash == pss_b->hash &&
 					   pss_a->mgf1_hash == pss_b->mgf1_hash &&
-					   (!strict ||
-						rsa_pss_salt_length(pss_a) == rsa_pss_salt_length(pss_b));
+					   (!strict || pss_a->salt_len == pss_b->salt_len);
 			}
 			default:
 				break;
@@ -328,7 +348,6 @@ end:
 bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1)
 {
 	chunk_t hash = chunk_empty, mgf = chunk_empty, slen = chunk_empty;
-	ssize_t salt_len;
 	int alg;
 
 	if (params->hash != HASH_SHA1)
@@ -351,16 +370,15 @@ bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1)
 		mgf = asn1_algorithmIdentifier_params(OID_MGF1,
 											  asn1_algorithmIdentifier(alg));
 	}
-	salt_len = rsa_pss_salt_length(params);
-	if (salt_len < 0)
+	if (params->salt_len < 0)
 	{
 		chunk_free(&hash);
 		chunk_free(&mgf);
 		return FALSE;
 	}
-	else if (salt_len != HASH_SIZE_SHA1)
+	else if (params->salt_len != HASH_SIZE_SHA1)
 	{
-		slen = asn1_integer("m", asn1_integer_from_uint64(salt_len));
+		slen = asn1_integer("m", asn1_integer_from_uint64(params->salt_len));
 	}
 	*asn1 = asn1_wrap(ASN1_SEQUENCE, "mmm",
 				hash.len ? asn1_wrap(ASN1_CONTEXT_C_0, "m", hash) : chunk_empty,
diff --git a/src/libstrongswan/credentials/keys/signature_params.h b/src/libstrongswan/credentials/keys/signature_params.h
index 6934c5e88..b4169a829 100644
--- a/src/libstrongswan/credentials/keys/signature_params.h
+++ b/src/libstrongswan/credentials/keys/signature_params.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -100,11 +100,15 @@ struct rsa_pss_params_t {
 	hash_algorithm_t hash;
 	/** Hash for the MGF1 function */
 	hash_algorithm_t mgf1_hash;
-	/** Salt length, use RSA_PSS_SALT_LEN_DEFAULT for length equal to hash */
+	/** Salt length, use the constants below for special lengths resolved
+	 * via rsa_pss_params_set_salt_len() */
 	ssize_t salt_len;
 	/** Salt value, for unit tests (not all implementations support this) */
 	chunk_t salt;
+/** Use a salt length equal to the length of the hash */
 #define RSA_PSS_SALT_LEN_DEFAULT -1
+/** Use the maximum salt length depending on the hash and key length */
+#define RSA_PSS_SALT_LEN_MAX -2
 };
 
 /**
@@ -126,4 +130,15 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params);
  */
 bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1);
 
+/**
+ * Determine and set the salt length for the given params in case constants
+ * are used
+ *
+ * @param params	parameters to update
+ * @param modbits	RSA modulus length in bits (required if RSA_PSS_SALT_LEN_MAX
+ *					is used)
+ * @return			salt length to use, negative on error
+ */
+bool rsa_pss_params_set_salt_len(rsa_pss_params_t *params, size_t modbits);
+
 #endif /** SIGNATURE_PARAMS_H_ @}*/
diff --git a/src/libstrongswan/crypto/mac.h b/src/libstrongswan/crypto/mac.h
index 50dc4c73a..97cb7e352 100644
--- a/src/libstrongswan/crypto/mac.h
+++ b/src/libstrongswan/crypto/mac.h
@@ -39,12 +39,12 @@ struct mac_t {
 	 *
 	 * If out is NULL, no result is given back.  A next call will
 	 * append the data to already supplied data.  If out is not NULL,
-	 * the mac of all apended data is calculated, written to out and the
+	 * the MAC of all appended data is calculated, written to out and the
 	 * internal state is reset.
 	 *
 	 * @param data		chunk of data to authenticate
 	 * @param out		pointer where the generated bytes will be written
-	 * @return			TRUE if mac generated successfully
+	 * @return			TRUE if MAC generated successfully
 	 */
 	bool (*get_mac)(mac_t *this, chunk_t data,
 					uint8_t *out) __attribute__((warn_unused_result));
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index cad94aa82..a078d3b30 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -1,4 +1,4 @@
-/* C code produced by gperf version 3.0.4 */
+/* ANSI-C code produced by gperf version 3.1 */
 /* Command-line: /usr/bin/gperf -N proposal_get_token_static -m 10 -C -G -c -t -D  */
 /* Computed positions: -k'1,5-7,10,15,$' */
 
@@ -26,7 +26,7 @@
       && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
       && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
 /* The character set is not based on ISO-646.  */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gperf@gnu.org>."
 #endif
 
 
@@ -74,9 +74,7 @@ inline
 #endif
 #endif
 static unsigned int
-hash (str, len)
-     register const char *str;
-     register unsigned int len;
+hash (register const char *str, register size_t len)
 {
   static const unsigned char asso_values[] =
     {
@@ -107,7 +105,7 @@ hash (str, len)
       251, 251, 251, 251, 251, 251, 251, 251, 251, 251,
       251, 251, 251, 251, 251, 251, 251
     };
-  register int hval = len;
+  register unsigned int hval = len;
 
   switch (hval)
     {
@@ -320,22 +318,14 @@ static const short lookup[] =
     143
   };
 
-#ifdef __GNUC__
-__inline
-#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
 const struct proposal_token *
-proposal_get_token_static (str, len)
-     register const char *str;
-     register unsigned int len;
+proposal_get_token_static (register const char *str, register size_t len)
 {
   if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
     {
-      register int key = hash (str, len);
+      register unsigned int key = hash (str, len);
 
-      if (key <= MAX_HASH_VALUE && key >= 0)
+      if (key <= MAX_HASH_VALUE)
         {
           register int index = lookup[key];
 
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
index 1345f36bb..a0beec0bb 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
@@ -19,7 +19,7 @@
 #include "proposal_keywords.h"
 
 const proposal_token_t* proposal_get_token_static(register const char *str,
-												  register unsigned len);
+												  register size_t len);
 
 #endif /* PROPOSAL_KEYWORDS_STATIC_H_ */
 
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 77c29916c..db87affc9 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -82,6 +82,14 @@ enum agent_msg_type_t {
 };
 
 /**
+ * Flags for signatures
+ */
+enum agent_signature_flags_t {
+	SSH_AGENT_FLAG_SHA2_256 = 2,
+	SSH_AGENT_FLAG_SHA2_512 = 4,
+};
+
+/**
  * read a byte from a blob
  */
 static u_char read_byte(chunk_t *blob)
@@ -217,12 +225,35 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 }
 
 static bool scheme_supported(private_agent_private_key_t *this,
-							signature_scheme_t scheme)
+							 signature_scheme_t scheme, uint32_t *flags,
+							 char **prefix)
 {
 	switch (this->pubkey->get_type(this->pubkey))
 	{
 		case KEY_RSA:
-			return scheme == SIGN_RSA_EMSA_PKCS1_SHA1;
+			switch (scheme)
+			{
+				case SIGN_RSA_EMSA_PKCS1_SHA1:
+					*prefix = "ssh-rsa";
+					return TRUE;
+				case SIGN_RSA_EMSA_PKCS1_SHA2_256:
+					*flags |= SSH_AGENT_FLAG_SHA2_256;
+					*prefix = "rsa-sha2-256";
+					return TRUE;
+				case SIGN_RSA_EMSA_PKCS1_SHA2_512:
+					*flags |= SSH_AGENT_FLAG_SHA2_512;
+					*prefix = "rsa-sha2-512";
+					return TRUE;
+				default:
+					break;
+			}
+			return FALSE;
+		case KEY_ED25519:
+			*prefix = "ssh-ed25519";
+			return scheme == SIGN_ED25519;
+		case KEY_ED448:
+			*prefix = "ssh-ed448";
+			return scheme == SIGN_ED448;
 		case KEY_ECDSA:
 			return scheme == SIGN_ECDSA_256 ||
 				   scheme == SIGN_ECDSA_384 ||
@@ -236,11 +267,12 @@ METHOD(private_key_t, sign, bool,
 	private_agent_private_key_t *this, signature_scheme_t scheme, void *params,
 	chunk_t data, chunk_t *signature)
 {
-	uint32_t len, flags;
-	char buf[2048];
+	key_type_t type;
+	uint32_t len, flags = 0;
+	char buf[2048], *prefix = NULL;
 	chunk_t blob;
 
-	if (!scheme_supported(this, scheme))
+	if (!scheme_supported(this, scheme, &flags, &prefix))
 	{
 		DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
@@ -272,7 +304,7 @@ METHOD(private_key_t, sign, bool,
 		return FALSE;
 	}
 
-	flags = htonl(0);
+	flags = htonl(flags);
 	if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
 	{
 		DBG1(DBG_LIB, "writing to ssh-agent failed");
@@ -290,9 +322,15 @@ METHOD(private_key_t, sign, bool,
 	}
 	/* parse length */
 	blob = read_string(&blob);
-	/* check sig type */
-	if (chunk_equals(read_string(&blob), chunk_from_str("ssh-rsa")))
-	{	/* for RSA the signature has no special encoding */
+	/* verify type */
+	if (prefix && !chunk_equals(read_string(&blob), chunk_from_str(prefix)))
+	{
+		DBG1(DBG_LIB, "ssh-agent didn't return requested %s signature", prefix);
+		return FALSE;
+	}
+	type = this->pubkey->get_type(this->pubkey);
+	if (type == KEY_RSA || type == KEY_ED25519 || type == KEY_ED448)
+	{	/* for RSA/EdDSA, the signature has no special encoding */
 		blob = read_string(&blob);
 		if (blob.len)
 		{
@@ -301,7 +339,7 @@ METHOD(private_key_t, sign, bool,
 		}
 	}
 	else
-	{	/* anything else is treated as ECSDA for now */
+	{	/* parse ECDSA signatures */
 		blob = read_string(&blob);
 		if (blob.len)
 		{
@@ -340,6 +378,80 @@ METHOD(private_key_t, get_keysize, int,
 	return this->pubkey->get_keysize(this->pubkey);
 }
 
+/**
+ * Private data for RSA scheme enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	int index;
+	bool reverse;
+} scheme_enumerator_t;
+
+static signature_params_t rsa_schemes[] = {
+	{ .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
+	{ .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
+};
+
+METHOD(enumerator_t, enumerate_rsa_scheme, bool,
+	scheme_enumerator_t *this, va_list args)
+{
+	signature_params_t **params;
+
+	VA_ARGS_VGET(args, params);
+
+	if ((this->reverse && --this->index >= 0) ||
+	   (!this->reverse && ++this->index < countof(rsa_schemes)))
+	{
+		*params = &rsa_schemes[this->index];
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Create an enumerator for the supported RSA signature schemes
+ */
+static enumerator_t *create_rsa_enumerator(private_agent_private_key_t *this)
+{
+	scheme_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _enumerate_rsa_scheme,
+			.destroy = (void*)free,
+		},
+		.index = -1,
+		.reverse = FALSE,
+	);
+	/* propose SHA-512 first for larger keys */
+	if (get_keysize(this) > 3072)
+	{
+		enumerator->index = countof(rsa_schemes);
+		enumerator->reverse = TRUE;
+	}
+	return &enumerator->public;
+}
+
+METHOD(private_key_t, supported_signature_schemes, enumerator_t*,
+	private_agent_private_key_t *this)
+{
+	key_type_t type = get_type(this);
+
+	switch (type)
+	{
+		case KEY_RSA:
+			return create_rsa_enumerator(this);
+		case KEY_ED25519:
+		case KEY_ED448:
+		case KEY_ECDSA:
+			return signature_schemes_for_key(type, get_keysize(this));
+		default:
+			break;
+	}
+	return enumerator_create_empty();
+}
+
 METHOD(private_key_t, get_public_key, public_key_t*,
 	private_agent_private_key_t *this)
 {
@@ -413,6 +525,7 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		.public = {
 			.key = {
 				.get_type = _get_type,
+				.supported_signature_schemes = _supported_signature_schemes,
 				.sign = _sign,
 				.decrypt = _decrypt,
 				.get_keysize = _get_keysize,
diff --git a/src/libstrongswan/plugins/botan/Makefile.am b/src/libstrongswan/plugins/botan/Makefile.am
index c1160145a..30d3e601c 100644
--- a/src/libstrongswan/plugins/botan/Makefile.am
+++ b/src/libstrongswan/plugins/botan/Makefile.am
@@ -23,9 +23,11 @@ libstrongswan_botan_la_SOURCES = \
 	botan_ec_diffie_hellman.h botan_ec_diffie_hellman.c \
 	botan_ec_public_key.h botan_ec_public_key.c \
 	botan_ec_private_key.h botan_ec_private_key.c \
+	botan_ed_public_key.h botan_ed_public_key.c \
+	botan_ed_private_key.h botan_ed_private_key.c \
 	botan_util.h botan_util.c \
 	botan_util_keys.h botan_util_keys.c \
-	botan_gcm.h botan_gcm.c \
+	botan_aead.h botan_aead.c \
 	botan_x25519.h botan_x25519.c
 
 libstrongswan_botan_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/botan/Makefile.in b/src/libstrongswan/plugins/botan/Makefile.in
index ef9f88610..3bb3e22f4 100644
--- a/src/libstrongswan/plugins/botan/Makefile.in
+++ b/src/libstrongswan/plugins/botan/Makefile.in
@@ -142,8 +142,9 @@ am_libstrongswan_botan_la_OBJECTS = botan_plugin.lo botan_rng.lo \
 	botan_hasher.lo botan_hmac.lo botan_crypter.lo \
 	botan_rsa_public_key.lo botan_rsa_private_key.lo \
 	botan_diffie_hellman.lo botan_ec_diffie_hellman.lo \
-	botan_ec_public_key.lo botan_ec_private_key.lo botan_util.lo \
-	botan_util_keys.lo botan_gcm.lo botan_x25519.lo
+	botan_ec_public_key.lo botan_ec_private_key.lo \
+	botan_ed_public_key.lo botan_ed_private_key.lo botan_util.lo \
+	botan_util_keys.lo botan_aead.lo botan_x25519.lo
 libstrongswan_botan_la_OBJECTS = $(am_libstrongswan_botan_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -478,9 +479,11 @@ libstrongswan_botan_la_SOURCES = \
 	botan_ec_diffie_hellman.h botan_ec_diffie_hellman.c \
 	botan_ec_public_key.h botan_ec_public_key.c \
 	botan_ec_private_key.h botan_ec_private_key.c \
+	botan_ed_public_key.h botan_ed_public_key.c \
+	botan_ed_private_key.h botan_ed_private_key.c \
 	botan_util.h botan_util.c \
 	botan_util_keys.h botan_util_keys.c \
-	botan_gcm.h botan_gcm.c \
+	botan_aead.h botan_aead.c \
 	botan_x25519.h botan_x25519.c
 
 libstrongswan_botan_la_LDFLAGS = -module -avoid-version
@@ -574,12 +577,14 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_aead.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_public_key.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_gcm.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ed_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ed_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_plugin.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/botan/botan_gcm.c b/src/libstrongswan/plugins/botan/botan_aead.c
index 7e0fc1468..40006ae77 100644
--- a/src/libstrongswan/plugins/botan/botan_gcm.c
+++ b/src/libstrongswan/plugins/botan/botan_aead.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2018 Atanas Filyanov
  * Rohde & Schwarz Cybersecurity GmbH
  *
@@ -21,23 +24,28 @@
  * THE SOFTWARE.
  */
 
-#include "botan_gcm.h"
+#include "botan_aead.h"
 
 #include <botan/build.h>
 
-#ifdef BOTAN_HAS_AES
-#ifdef BOTAN_HAS_AEAD_GCM
+#if (defined(BOTAN_HAS_AES) && \
+		(defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_CCM))) || \
+	defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
 
 #include <crypto/iv/iv_gen_seq.h>
 
 #include <botan/ffi.h>
 
 /**
- * as defined in RFC 4106
+ * As defined in RFC 4106 (GCM) and RFC 7634 (ChaPoly)
  */
-#define IV_LEN		8
-#define SALT_LEN	4
-#define NONCE_LEN	(IV_LEN + SALT_LEN)
+#define IV_LEN			8
+#define SALT_LEN		4
+#define CHAPOLY_KEY_LEN	32
+/**
+ * As defined in RFC 4309
+ */
+#define CCM_SALT_LEN	3
 
 typedef struct private_aead_t private_aead_t;
 
@@ -56,7 +64,7 @@ struct private_aead_t {
 	/**
 	 * Salt value
 	 */
-	char salt[SALT_LEN];
+	chunk_t salt;
 
 	/**
 	 * Size of the integrity check value
@@ -77,15 +85,12 @@ struct private_aead_t {
 /**
  * Do the actual en/decryption
  */
-static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
-				  u_char *out, uint32_t init_flag)
+static bool do_crypt(private_aead_t *this, chunk_t data, chunk_t assoc,
+					 chunk_t iv, u_char *out, uint32_t init_flag)
 {
 	botan_cipher_t cipher;
-	uint8_t nonce[NONCE_LEN];
 	size_t output_written = 0, input_consumed = 0;
-
-	memcpy(nonce, this->salt, SALT_LEN);
-	memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN);
+	chunk_t nonce;
 
 	if (botan_cipher_init(&cipher, this->cipher_name, init_flag))
 	{
@@ -105,7 +110,9 @@ static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
 		return FALSE;
 	}
 
-	if (botan_cipher_start(cipher, nonce, NONCE_LEN))
+	nonce = chunk_cata("cc", this->salt, iv);
+
+	if (botan_cipher_start(cipher, nonce.ptr, nonce.len))
 	{
 		botan_cipher_destroy(cipher);
 		return FALSE;
@@ -149,7 +156,8 @@ METHOD(aead_t, encrypt, bool,
 		*encrypted = chunk_alloc(plain.len + this->icv_size);
 		out = encrypted->ptr;
 	}
-	return crypt(this, plain, assoc, iv, out, BOTAN_CIPHER_INIT_FLAG_ENCRYPT);
+	return do_crypt(this, plain, assoc, iv, out,
+					BOTAN_CIPHER_INIT_FLAG_ENCRYPT);
 }
 
 METHOD(aead_t, decrypt, bool,
@@ -170,8 +178,8 @@ METHOD(aead_t, decrypt, bool,
 		*plain = chunk_alloc(encrypted.len);
 		out = plain->ptr;
 	}
-	return crypt(this, encrypted, assoc, iv, out,
-				 BOTAN_CIPHER_INIT_FLAG_DECRYPT);
+	return do_crypt(this, encrypted, assoc, iv, out,
+					BOTAN_CIPHER_INIT_FLAG_DECRYPT);
 }
 
 METHOD(aead_t, get_block_size, size_t,
@@ -201,7 +209,7 @@ METHOD(aead_t, get_iv_gen, iv_gen_t*,
 METHOD(aead_t, get_key_size, size_t,
 	private_aead_t *this)
 {
-	return this->key.len + SALT_LEN;
+	return this->key.len + this->salt.len;
 }
 
 METHOD(aead_t, set_key, bool,
@@ -211,7 +219,7 @@ METHOD(aead_t, set_key, bool,
 	{
 		return FALSE;
 	}
-	memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN);
+	memcpy(this->salt.ptr, key.ptr + key.len - this->salt.len, this->salt.len);
 	memcpy(this->key.ptr, key.ptr, this->key.len);
 	return TRUE;
 }
@@ -220,15 +228,82 @@ METHOD(aead_t, destroy, void,
 	private_aead_t *this)
 {
 	chunk_clear(&this->key);
+	chunk_clear(&this->salt);
 	this->iv_gen->destroy(this->iv_gen);
 	free(this);
 }
 
+#ifdef BOTAN_HAS_AES
+#if defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_GCM)
+
+static struct {
+	encryption_algorithm_t algo;
+	size_t key_size;
+	char *name;
+	size_t icv_size;
+} aes_modes[] = {
+	{ ENCR_AES_GCM_ICV8,  16, "AES-128/GCM(8)",     8 },
+	{ ENCR_AES_GCM_ICV8,  24, "AES-192/GCM(8)",     8 },
+	{ ENCR_AES_GCM_ICV8,  32, "AES-256/GCM(8)",     8 },
+	{ ENCR_AES_GCM_ICV12, 16, "AES-128/GCM(12)",   12 },
+	{ ENCR_AES_GCM_ICV12, 24, "AES-192/GCM(12)",   12 },
+	{ ENCR_AES_GCM_ICV12, 32, "AES-256/GCM(12)",   12 },
+	{ ENCR_AES_GCM_ICV16, 16, "AES-128/GCM(16)",   16 },
+	{ ENCR_AES_GCM_ICV16, 24, "AES-192/GCM(16)",   16 },
+	{ ENCR_AES_GCM_ICV16, 32, "AES-256/GCM(16)",   16 },
+	{ ENCR_AES_CCM_ICV8,  16, "AES-128/CCM(8,4)",   8 },
+	{ ENCR_AES_CCM_ICV8,  24, "AES-192/CCM(8,4)",   8 },
+	{ ENCR_AES_CCM_ICV8,  32, "AES-256/CCM(8,4)",   8 },
+	{ ENCR_AES_CCM_ICV12, 16, "AES-128/CCM(12,4)", 12 },
+	{ ENCR_AES_CCM_ICV12, 24, "AES-192/CCM(12,4)", 12 },
+	{ ENCR_AES_CCM_ICV12, 32, "AES-256/CCM(12,4)", 12 },
+	{ ENCR_AES_CCM_ICV16, 16, "AES-128/CCM(16,4)", 16 },
+	{ ENCR_AES_CCM_ICV16, 24, "AES-192/CCM(16,4)", 16 },
+	{ ENCR_AES_CCM_ICV16, 32, "AES-256/CCM(16,4)", 16 },
+};
+
+/**
+ * Determine the cipher name and ICV size for the given algorithm and key size
+ */
+static bool determine_aes_params(private_aead_t *this,
+								 encryption_algorithm_t algo, size_t key_size)
+{
+	int i;
+
+	for (i = 0; i < countof(aes_modes); i++)
+	{
+		if (aes_modes[i].algo == algo &&
+			aes_modes[i].key_size == key_size)
+		{
+			this->cipher_name = aes_modes[i].name;
+			this->icv_size = aes_modes[i].icv_size;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+#endif
+#endif
+
+/**
+ * Check the given salt size, set it if not set
+ */
+static bool check_salt_size(size_t expected, size_t *salt_size)
+{
+	if (*salt_size)
+	{
+		return *salt_size == expected;
+	}
+	*salt_size = expected;
+	return TRUE;
+}
+
 /*
  * Described in header
  */
-aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size,
-						 size_t salt_size)
+aead_t *botan_aead_create(encryption_algorithm_t algo, size_t key_size,
+						  size_t salt_size)
 {
 	private_aead_t *this;
 
@@ -246,88 +321,68 @@ aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size,
 		},
 	);
 
-	if (salt_size && salt_size != SALT_LEN)
-	{
-		/* currently not supported */
-		free(this);
-		return NULL;
-	}
-
 	switch (algo)
 	{
+#ifdef BOTAN_HAS_AES
+#ifdef BOTAN_HAS_AEAD_GCM
 		case ENCR_AES_GCM_ICV8:
-			switch (key_size)
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			if (!key_size)
 			{
-				case 0:
-					key_size = 16;
-					/* FALL */
-				case 16:
-					this->cipher_name = "AES-128/GCM(8)";
-					break;
-				case 24:
-					this->cipher_name = "AES-192/GCM(8)";
-					break;
-				case 32:
-					this->cipher_name = "AES-256/GCM(8)";
-					break;
-				default:
-					free(this);
-					return NULL;
+				key_size = 16;
+			}
+			if (!check_salt_size(SALT_LEN, &salt_size) ||
+				!determine_aes_params(this, algo, key_size))
+			{
+				free(this);
+				return NULL;
 			}
-			this->icv_size = 8;
 			break;
-		case ENCR_AES_GCM_ICV12:
-			switch (key_size)
+#endif
+#ifdef BOTAN_HAS_AEAD_CCM
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+			if (!key_size)
 			{
-				case 0:
-					key_size = 16;
-					/* FALL */
-				case 16:
-					this->cipher_name = "AES-128/GCM(12)";
-					break;
-				case 24:
-					this->cipher_name = "AES-192/GCM(12)";
-					break;
-				case 32:
-					this->cipher_name = "AES-256/GCM(12)";
-					break;
-				default:
-					free(this);
-					return NULL;
+				key_size = 16;
+			}
+			if (!check_salt_size(CCM_SALT_LEN, &salt_size) ||
+				!determine_aes_params(this, algo, key_size))
+			{
+				free(this);
+				return NULL;
 			}
-			this->icv_size = 12;
 			break;
-		case ENCR_AES_GCM_ICV16:
-			switch (key_size)
+#endif
+#endif
+#ifdef BOTAN_HAS_AEAD_CHACHA20_POLY1305
+		case ENCR_CHACHA20_POLY1305:
+			if (!key_size)
+			{
+				key_size = CHAPOLY_KEY_LEN;
+			}
+			if (key_size != CHAPOLY_KEY_LEN ||
+				!check_salt_size(SALT_LEN, &salt_size))
 			{
-				case 0:
-					key_size = 16;
-					/* FALL */
-				case 16:
-					this->cipher_name = "AES-128/GCM";
-					break;
-				case 24:
-					this->cipher_name = "AES-192/GCM";
-					break;
-				case 32:
-					this->cipher_name = "AES-256/GCM";
-					break;
-				default:
-					free(this);
-					return NULL;
+				free(this);
+				return NULL;
 			}
+			this->cipher_name = "ChaCha20Poly1305";
 			this->icv_size = 16;
 			break;
+#endif
 		default:
 			free(this);
 			return NULL;
 	}
 
 	this->key = chunk_alloc(key_size);
+	this->salt = chunk_alloc(salt_size);
 	this->iv_gen = iv_gen_seq_create();
 
 	return &this->public;
 }
 
 #endif
-#endif
diff --git a/src/libstrongswan/plugins/botan/botan_gcm.h b/src/libstrongswan/plugins/botan/botan_aead.h
index b2053cb4d..00a2ba4bc 100644
--- a/src/libstrongswan/plugins/botan/botan_gcm.h
+++ b/src/libstrongswan/plugins/botan/botan_aead.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2018 Atanas Filyanov
  * Rohde & Schwarz Cybersecurity GmbH
  *
@@ -22,14 +25,14 @@
  */
 
 /**
- * Implements the aead_t interface using Botan in GCM mode.
+ * Implements the aead_t interface using Botan.
  *
- * @defgroup botan_gcm botan_gcm
+ * @defgroup botan_aead botan_aead
  * @{ @ingroup botan_p
  */
 
-#ifndef BOTAN_GCM_H_
-#define BOTAN_GCM_H_
+#ifndef BOTAN_AEAD_H_
+#define BOTAN_AEAD_H_
 
 #include <crypto/aead.h>
 
@@ -41,7 +44,7 @@
  * @param salt_size		size of implicit salt length
  * @return				aead_t object, NULL if not supported
  */
-aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size,
-						 size_t salt_size);
+aead_t *botan_aead_create(encryption_algorithm_t algo, size_t key_size,
+						  size_t salt_size);
 
-#endif /** BOTAN_GCM_H_ @}*/
+#endif /** BOTAN_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/botan/botan_crypter.c b/src/libstrongswan/plugins/botan/botan_crypter.c
index 002be6ea8..3ec5c4d5e 100644
--- a/src/libstrongswan/plugins/botan/botan_crypter.c
+++ b/src/libstrongswan/plugins/botan/botan_crypter.c
@@ -25,6 +25,10 @@
 
 #include "botan_crypter.h"
 
+#include <botan/build.h>
+
+#if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC)
+
 #include <botan/ffi.h>
 
 typedef struct private_botan_crypter_t private_botan_crypter_t;
@@ -189,3 +193,5 @@ botan_crypter_t *botan_crypter_create(encryption_algorithm_t algo,
 	this->key = chunk_alloc(key_size);
 	return &this->public;
 }
+
+#endif
diff --git a/src/libstrongswan/plugins/botan/botan_ec_public_key.c b/src/libstrongswan/plugins/botan/botan_ec_public_key.c
index 4c85dbcec..095ae3f20 100644
--- a/src/libstrongswan/plugins/botan/botan_ec_public_key.c
+++ b/src/libstrongswan/plugins/botan/botan_ec_public_key.c
@@ -69,9 +69,7 @@ static bool verify_signature(private_botan_ec_public_key_t *this,
 	const char* hash_and_padding, int signature_format, size_t keylen,
 	chunk_t data, chunk_t signature)
 {
-	botan_pk_op_verify_t verify_op;
 	chunk_t sig = signature;
-	bool valid = FALSE;
 
 	if (signature_format == SIG_FORMAT_DER_SEQUENCE)
 	{
@@ -104,22 +102,7 @@ static bool verify_signature(private_botan_ec_public_key_t *this,
 		memcpy(sig.ptr + (keylen - r.len), r.ptr, r.len);
 		memcpy(sig.ptr + keylen + (keylen - s.len), s.ptr, s.len);
 	}
-
-	if (botan_pk_op_verify_create(&verify_op, this->key, hash_and_padding, 0))
-	{
-		return FALSE;
-	}
-
-	if (botan_pk_op_verify_update(verify_op, data.ptr, data.len))
-	{
-		botan_pk_op_verify_destroy(verify_op);
-		return FALSE;
-	}
-
-	valid = !(botan_pk_op_verify_finish(verify_op, sig.ptr, sig.len));
-
-	botan_pk_op_verify_destroy(verify_op);
-	return valid;
+	return botan_verify_signature(this->key, hash_and_padding, data, sig);
 }
 
 METHOD(public_key_t, get_type, key_type_t,
diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.c b/src/libstrongswan/plugins/botan/botan_ed_private_key.c
new file mode 100644
index 000000000..3f0f54222
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "botan_ed_private_key.h"
+#include "botan_ed_public_key.h"
+#include "botan_util.h"
+
+#include <botan/build.h>
+
+#ifdef BOTAN_HAS_ED25519
+
+#include <asn1/asn1.h>
+#include <utils/debug.h>
+
+typedef struct private_private_key_t private_private_key_t;
+
+#define ED25519_KEY_LEN 32
+
+/**
+ * Private data
+ */
+struct private_private_key_t {
+
+	/**
+	 * Public interface
+	 */
+	private_key_t public;
+
+	/**
+	 * Botan private key object
+	 */
+	botan_privkey_t key;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(private_key_t, sign, bool,
+	private_private_key_t *this, signature_scheme_t scheme,
+	void *params, chunk_t data, chunk_t *signature)
+{
+	switch (scheme)
+	{
+		case SIGN_ED25519:
+			return botan_get_signature(this->key, "Pure", data, signature);
+		default:
+			DBG1(DBG_LIB, "signature scheme %N not supported via botan",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	DBG1(DBG_LIB, "EdDSA private key decryption not implemented");
+	return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_private_key_t *this)
+{
+	return ED25519_KEY_LEN * 8;
+}
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_private_key_t *this)
+{
+	return KEY_ED25519;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_private_key_t *this)
+{
+	botan_pubkey_t pubkey;
+
+	if (botan_privkey_export_pubkey(&pubkey, this->key))
+	{
+		return NULL;
+	}
+	return botan_ed_public_key_adopt(pubkey);
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
+{
+	botan_pubkey_t pubkey;
+	bool success = FALSE;
+
+	/* check the cache before doing the export */
+	if (lib->encoding->get_cache(lib->encoding, type, this, fingerprint))
+	{
+		return TRUE;
+	}
+
+	if (botan_privkey_export_pubkey(&pubkey, this->key))
+	{
+		return FALSE;
+	}
+	success = botan_get_fingerprint(pubkey, this, type, fingerprint);
+	botan_pubkey_destroy(pubkey);
+	return success;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return botan_get_privkey_encoding(this->key, type, encoding);
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		botan_privkey_destroy(this->key);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_private_key_t *create_empty()
+{
+	private_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.sign = _sign,
+			.decrypt = _decrypt,
+			.get_keysize = _get_keysize,
+			.get_public_key = _get_public_key,
+			.equals = private_key_equals,
+			.belongs_to = private_key_belongs_to,
+			.get_fingerprint = _get_fingerprint,
+			.has_fingerprint = private_key_has_fingerprint,
+			.get_encoding = _get_encoding,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *botan_ed_private_key_adopt(botan_privkey_t key)
+{
+	private_private_key_t *this;
+
+	this = create_empty();
+	this->key = key;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args)
+{
+	private_private_key_t *this;
+	botan_rng_t rng;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				/* just ignore the key size */
+				va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (botan_rng_init(&rng, "system"))
+	{
+		return NULL;
+	}
+
+	this = create_empty();
+
+	if (botan_privkey_create(&this->key, "Ed25519", NULL, rng))
+	{
+		DBG1(DBG_LIB, "EdDSA private key generation failed");
+		botan_rng_destroy(rng);
+		free(this);
+		return NULL;
+	}
+
+	botan_rng_destroy(rng);
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *botan_ed_private_key_load(key_type_t type, va_list args)
+{
+	private_private_key_t *this;
+	chunk_t key = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_EDDSA_PRIV_ASN1_DER:
+				key = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	/* PKCS#8-encoded keys are handled generically, so we only handle the
+	 * explicit case */
+	if (asn1_unwrap(&key, &key) != ASN1_OCTET_STRING ||
+		key.len != ED25519_KEY_LEN)
+	{
+		return NULL;
+	}
+
+	this = create_empty();
+
+	if (botan_privkey_load_ed25519(&this->key, key.ptr))
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+#endif
diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.h b/src/libstrongswan/plugins/botan/botan_ed_private_key.h
new file mode 100644
index 000000000..f7f32e8f3
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup botan_ed_private_key botan_ed_private_key
+ * @{ @ingroup botan_p
+ */
+
+#ifndef BOTAN_ED_PRIVATE_KEY_H_
+#define BOTAN_ED_PRIVATE_KEY_H_
+
+#include <botan/ffi.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Generate an EdDSA private key using Botan.
+ *
+ * @param type		type of the key, must be KEY_ED25519
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
+ */
+private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key using Botan.
+ *
+ * @param type		type of the key, must be KEY_ED25519
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *botan_ed_private_key_load(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key by adopting a botan_privkey_t object.
+ *
+ * @param key		private key object (adopted)
+ * @return			loaded key, NULL on failure
+ */
+private_key_t *botan_ed_private_key_adopt(botan_privkey_t key);
+
+#endif /** BOTAN_ED_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/botan/botan_ed_public_key.c b/src/libstrongswan/plugins/botan/botan_ed_public_key.c
new file mode 100644
index 000000000..41d2baae8
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_public_key.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "botan_ed_public_key.h"
+#include "botan_util.h"
+
+#include <botan/build.h>
+
+#ifdef BOTAN_HAS_ED25519
+
+#include <utils/debug.h>
+
+typedef struct private_public_key_t private_public_key_t;
+
+/**
+ * Private data
+ */
+struct private_public_key_t {
+
+	/**
+	 * Public interface
+	 */
+	public_key_t public;
+
+	/**
+	 * Botan public key object
+	 */
+	botan_pubkey_t key;
+
+	/**
+	 * Reference counter
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_public_key_t *this)
+{
+	return KEY_ED25519;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_public_key_t *this)
+{
+	return ED25519_KEY_LEN * 8;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_public_key_t *this, signature_scheme_t scheme,
+	void *params, chunk_t data, chunk_t signature)
+{
+	switch (scheme)
+	{
+		case SIGN_ED25519:
+			return botan_verify_signature(this->key, "Pure", data, signature);
+		default:
+			DBG1(DBG_LIB, "signature scheme %N not supported via botan",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, encrypt, bool,
+	private_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	DBG1(DBG_LIB, "EdDSA public key encryption not implemented");
+	return FALSE;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
+{
+	return botan_get_fingerprint(this->key, this, type, fingerprint);
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return botan_get_encoding(this->key, type, encoding);
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		botan_pubkey_destroy(this->key);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_public_key_t *create_empty()
+{
+	private_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.verify = _verify,
+			.encrypt = _encrypt,
+			.get_keysize = _get_keysize,
+			.equals = public_key_equals,
+			.get_fingerprint = _get_fingerprint,
+			.has_fingerprint = public_key_has_fingerprint,
+			.get_encoding = _get_encoding,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *botan_ed_public_key_adopt(botan_pubkey_t key)
+{
+	private_public_key_t *this;
+
+	this = create_empty();
+	this->key = key;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *botan_ed_public_key_load(key_type_t type, va_list args)
+{
+	private_public_key_t *this;
+	chunk_t key = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_EDDSA_PUB:
+				key = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	/* ASN.1-encoded keys are handled generically, so we only handle the
+	 * explicit case */
+	if (key.len != ED25519_KEY_LEN)
+	{
+		return NULL;
+	}
+
+	this = create_empty();
+
+	if (botan_pubkey_load_ed25519(&this->key, key.ptr))
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+#endif
diff --git a/src/libstrongswan/plugins/botan/botan_ed_public_key.h b/src/libstrongswan/plugins/botan/botan_ed_public_key.h
new file mode 100644
index 000000000..0f44b1afb
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_public_key.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef BOTAN_ED_PUBLIC_KEY_H_
+#define BOTAN_ED_PUBLIC_KEY_H_
+
+#include <botan/ffi.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+#define ED25519_KEY_LEN 32
+
+/**
+ * Load an EdDSA public key by adopting a botan_pubkey_t object.
+ *
+ * @param key		public key object (adopted)
+ * @return			loaded key, NULL on failure
+ */
+public_key_t *botan_ed_public_key_adopt(botan_pubkey_t key);
+
+/**
+ * Load an EdDSA public key using Botan.
+ *
+ * @param type		type of the key, must be KEY_ED25519
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+public_key_t *botan_ed_public_key_load(key_type_t type, va_list args);
+
+#endif /** BOTAN_ED_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/botan/botan_plugin.c b/src/libstrongswan/plugins/botan/botan_plugin.c
index fd8e5f5a6..f045ba074 100644
--- a/src/libstrongswan/plugins/botan/botan_plugin.c
+++ b/src/libstrongswan/plugins/botan/botan_plugin.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2018 René Korthaus
@@ -36,7 +37,9 @@
 #include "botan_ec_diffie_hellman.h"
 #include "botan_ec_public_key.h"
 #include "botan_ec_private_key.h"
-#include "botan_gcm.h"
+#include "botan_ed_public_key.h"
+#include "botan_ed_private_key.h"
+#include "botan_aead.h"
 #include "botan_util_keys.h"
 #include "botan_x25519.h"
 
@@ -101,6 +104,7 @@ METHOD(plugin_t, get_features, int,
 #endif
 
 		/* crypters */
+#if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC)
 		PLUGIN_REGISTER(CRYPTER, botan_crypter_create),
 #ifdef BOTAN_HAS_AES
 	#ifdef BOTAN_HAS_MODE_CBC
@@ -108,17 +112,43 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
 			PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
 	#endif
+#endif
+#endif
+
+		/* AEAD */
+#if (defined(BOTAN_HAS_AES) && \
+		(defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_CCM))) || \
+	defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
+		PLUGIN_REGISTER(AEAD, botan_aead_create),
+#ifdef BOTAN_HAS_AES
 	#ifdef BOTAN_HAS_AEAD_GCM
-			/* AES GCM */
-			PLUGIN_REGISTER(AEAD, botan_gcm_create),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  32),
 	#endif
+	#ifdef BOTAN_HAS_AEAD_CCM
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8,  16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8,  24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8,  32),
+	#endif
+#endif
+#ifdef BOTAN_HAS_AEAD_CHACHA20_POLY1305
+			PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32),
 #endif
+#endif
+
 		/* hashers */
 		PLUGIN_REGISTER(HASHER, botan_hasher_create),
 #ifdef BOTAN_HAS_MD5
@@ -135,6 +165,13 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(HASHER, HASH_SHA384),
 			PLUGIN_PROVIDE(HASHER, HASH_SHA512),
 #endif
+#ifdef BOTAN_HAS_SHA3
+			PLUGIN_PROVIDE(HASHER, HASH_SHA3_224),
+			PLUGIN_PROVIDE(HASHER, HASH_SHA3_256),
+			PLUGIN_PROVIDE(HASHER, HASH_SHA3_384),
+			PLUGIN_PROVIDE(HASHER, HASH_SHA3_512),
+#endif
+
 		/* prfs */
 #ifdef BOTAN_HAS_HMAC
 		PLUGIN_REGISTER(PRF, botan_hmac_prf_create),
@@ -168,7 +205,8 @@ METHOD(plugin_t, get_features, int,
 #endif /* BOTAN_HAS_HMAC */
 
 		/* generic key loaders */
-#if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA)
+#if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA) || \
+	defined(BOTAN_HAS_ED25519)
 		PLUGIN_REGISTER(PUBKEY, botan_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
 #ifdef BOTAN_HAS_RSA
@@ -177,6 +215,9 @@ METHOD(plugin_t, get_features, int,
 #ifdef BOTAN_HAS_ECDSA
 			PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
 #endif
+#ifdef BOTAN_HAS_ED25519
+			PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+#endif
 		PLUGIN_REGISTER(PRIVKEY, botan_private_key_load, TRUE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 #ifdef BOTAN_HAS_RSA
@@ -185,6 +226,9 @@ METHOD(plugin_t, get_features, int,
 #ifdef BOTAN_HAS_ECDSA
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
 #endif
+#ifdef BOTAN_HAS_ED25519
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+#endif
 #endif
 		/* RSA */
 #ifdef BOTAN_HAS_RSA
@@ -218,6 +262,16 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
 #endif
+#ifdef BOTAN_HAS_SHA3
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_224),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_256),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_384),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_512),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_224),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_256),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_384),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_512),
+#endif
 #endif
 #ifdef BOTAN_HAS_EMSA_PSSR
 		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS),
@@ -272,6 +326,21 @@ METHOD(plugin_t, get_features, int,
 #endif /* BOTAN_HAS_EMSA1 */
 #endif /* BOTAN_HAS_ECDSA */
 
+#ifdef BOTAN_HAS_ED25519
+		/* EdDSA private/public key loading */
+		PLUGIN_REGISTER(PUBKEY, botan_ed_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+		PLUGIN_REGISTER(PRIVKEY, botan_ed_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+		PLUGIN_REGISTER(PRIVKEY_GEN, botan_ed_private_key_gen, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+		/* register a pro forma identity hasher, never instantiated */
+		PLUGIN_REGISTER(HASHER, return_null),
+			PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+#endif
+
 		/* random numbers */
 #if BOTAN_HAS_SYSTEM_RNG
 #if BOTAN_HAS_HMAC_DRBG
diff --git a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c
index bb723ff95..02820b297 100644
--- a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c
+++ b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2018 René Korthaus
@@ -84,13 +85,8 @@ bool botan_emsa_pss_identifier(rsa_pss_params_t *params, char *id, size_t len)
 	{
 		return FALSE;
 	}
-
-	if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-	{
-		return snprintf(id, len, "EMSA-PSS(%s,MGF1,%zd)", hash,
-						params->salt_len) < len;
-	}
-	return snprintf(id, len, "EMSA-PSS(%s,MGF1)", hash) < len;
+	return snprintf(id, len, "EMSA-PSS(%s,MGF1,%zd)", hash,
+					params->salt_len) < len;
 }
 
 /**
@@ -140,6 +136,18 @@ METHOD(private_key_t, sign, bool,
 		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return botan_get_signature(this->key, "EMSA_PKCS1(SHA-512)", data,
 									   signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+			return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(224))", data,
+									   signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+			return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(256))", data,
+									   signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+			return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(384))", data,
+									   signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+			return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(512))", data,
+									   signature);
 		case SIGN_RSA_EMSA_PSS:
 			return build_emsa_pss_signature(this, params, data, signature);
 		default:
@@ -617,7 +625,7 @@ botan_rsa_private_key_t *botan_rsa_private_key_load(key_type_t type,
 
 	if (n.ptr && e.ptr && d.ptr)
 	{
-		botan_mp_t n_mp, e_mp, d_mp, p_mp, q_mp;
+		botan_mp_t n_mp, e_mp, d_mp, p_mp = NULL, q_mp = NULL;
 
 		if (!chunk_to_botan_mp(n, &n_mp))
 		{
diff --git a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c
index c6e2e8861..244caa585 100644
--- a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c
+++ b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2018 René Korthaus
@@ -69,33 +70,6 @@ struct private_botan_rsa_public_key_t {
 bool botan_emsa_pss_identifier(rsa_pss_params_t *params, char *id, size_t len);
 
 /**
- * Verify RSA signature
- */
-static bool verify_rsa_signature(private_botan_rsa_public_key_t *this,
-								 const char* hash_and_padding, chunk_t data,
-								 chunk_t signature)
-{
-	botan_pk_op_verify_t verify_op;
-	bool valid = FALSE;
-
-	if (botan_pk_op_verify_create(&verify_op, this->key, hash_and_padding, 0))
-	{
-		return FALSE;
-	}
-
-	if (botan_pk_op_verify_update(verify_op, data.ptr, data.len))
-	{
-		botan_pk_op_verify_destroy(verify_op);
-		return FALSE;
-	}
-
-	valid =	!botan_pk_op_verify_finish(verify_op, signature.ptr, signature.len);
-
-	botan_pk_op_verify_destroy(verify_op);
-	return valid;
-}
-
-/**
  * Verification of an EMSA PSS signature described in PKCS#1
  */
 static bool verify_emsa_pss_signature(private_botan_rsa_public_key_t *this,
@@ -109,7 +83,7 @@ static bool verify_emsa_pss_signature(private_botan_rsa_public_key_t *this,
 	{
 		return FALSE;
 	}
-	return verify_rsa_signature(this, hash_and_padding, data, signature);
+	return botan_verify_signature(this->key, hash_and_padding, data, signature);
 }
 
 METHOD(public_key_t, get_type, key_type_t,
@@ -125,23 +99,35 @@ METHOD(public_key_t, verify, bool,
 	switch (scheme)
 	{
 		case SIGN_RSA_EMSA_PKCS1_NULL:
-			return verify_rsa_signature(this, "EMSA_PKCS1(Raw)", data,
-										signature);
+			return botan_verify_signature(this->key, "EMSA_PKCS1(Raw)", data,
+										  signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
-			return verify_rsa_signature(this, "EMSA_PKCS1(SHA-1)", data,
-										signature);
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-1)", data,
+										  signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA2_224:
-			return verify_rsa_signature(this, "EMSA_PKCS1(SHA-224)",
-										data, signature);
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-224)",
+										  data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA2_256:
-			return verify_rsa_signature(this, "EMSA_PKCS1(SHA-256)",
-										data, signature);
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-256)",
+										  data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA2_384:
-			return verify_rsa_signature(this, "EMSA_PKCS1(SHA-384)",
-										data, signature);
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-384)",
+										  data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
-			return verify_rsa_signature(this, "EMSA_PKCS1(SHA-512)",
-										data, signature);
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-512)",
+										  data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(224)",
+										  data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(256))",
+										  data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(384))",
+										  data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+			return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(512))",
+										  data, signature);
 		case SIGN_RSA_EMSA_PSS:
 			return verify_emsa_pss_signature(this, params, data, signature);
 		default:
diff --git a/src/libstrongswan/plugins/botan/botan_util.c b/src/libstrongswan/plugins/botan/botan_util.c
index 5e18405d7..f5728e43e 100644
--- a/src/libstrongswan/plugins/botan/botan_util.c
+++ b/src/libstrongswan/plugins/botan/botan_util.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2018 René Korthaus
@@ -67,6 +68,14 @@ const char *botan_get_hash(hash_algorithm_t hash)
 			return "SHA-384";
 		case HASH_SHA512:
 			return "SHA-512";
+		case HASH_SHA3_224:
+			return "SHA-3(224)";
+		case HASH_SHA3_256:
+			return "SHA-3(256)";
+		case HASH_SHA3_384:
+			return "SHA-3(384)";
+		case HASH_SHA3_512:
+			return "SHA-3(512)";
 		default:
 			return NULL;
 	}
@@ -252,6 +261,32 @@ bool botan_get_signature(botan_privkey_t key, const char *scheme,
 /*
  * Described in header
  */
+bool botan_verify_signature(botan_pubkey_t key, const char *scheme,
+							chunk_t data, chunk_t signature)
+{
+	botan_pk_op_verify_t verify_op;
+	bool valid = FALSE;
+
+	if (botan_pk_op_verify_create(&verify_op, key, scheme, 0))
+	{
+		return FALSE;
+	}
+
+	if (botan_pk_op_verify_update(verify_op, data.ptr, data.len))
+	{
+		botan_pk_op_verify_destroy(verify_op);
+		return FALSE;
+	}
+
+	valid =	!botan_pk_op_verify_finish(verify_op, signature.ptr, signature.len);
+
+	botan_pk_op_verify_destroy(verify_op);
+	return valid;
+}
+
+/*
+ * Described in header
+ */
 bool botan_dh_key_derivation(botan_privkey_t key, chunk_t pub, chunk_t *secret)
 {
 	botan_pk_op_ka_t ka;
diff --git a/src/libstrongswan/plugins/botan/botan_util.h b/src/libstrongswan/plugins/botan/botan_util.h
index 08830356e..7fb74ec5d 100644
--- a/src/libstrongswan/plugins/botan/botan_util.h
+++ b/src/libstrongswan/plugins/botan/botan_util.h
@@ -101,6 +101,18 @@ bool botan_get_signature(botan_privkey_t key, const char *scheme,
 						 chunk_t data, chunk_t *signature);
 
 /**
+ * Verify the given signature using the provided data and key with the specified
+ * signature scheme (hash/padding).
+ *
+ * @param key		private key object
+ * @param scheme	hash/padding algorithm
+ * @param data		signed data
+ * @param signature	signature to verify
+ */
+bool botan_verify_signature(botan_pubkey_t key, const char* scheme,
+							chunk_t data, chunk_t signature);
+
+/**
  * Do the Diffie-Hellman key derivation using the given private key and public
  * value.
  *
diff --git a/src/libstrongswan/plugins/botan/botan_util_keys.c b/src/libstrongswan/plugins/botan/botan_util_keys.c
index 176c2caf9..dc4031491 100644
--- a/src/libstrongswan/plugins/botan/botan_util_keys.c
+++ b/src/libstrongswan/plugins/botan/botan_util_keys.c
@@ -24,6 +24,8 @@
 #include "botan_util_keys.h"
 #include "botan_ec_public_key.h"
 #include "botan_ec_private_key.h"
+#include "botan_ed_public_key.h"
+#include "botan_ed_private_key.h"
 #include "botan_rsa_public_key.h"
 #include "botan_rsa_private_key.h"
 
@@ -104,15 +106,27 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args)
 		return NULL;
 	}
 
+#ifdef BOTAN_HAS_RSA
 	if (streq(name, "RSA") && (type == KEY_ANY || type == KEY_RSA))
 	{
 		this = (public_key_t*)botan_rsa_public_key_adopt(pubkey);
 	}
-	else if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
+	else
+#endif
+#ifdef BOTAN_HAS_ECDSA
+	if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
 	{
 		this = (public_key_t*)botan_ec_public_key_adopt(pubkey);
 	}
 	else
+#endif
+#ifdef BOTAN_HAS_ED25519
+	if (streq(name, "Ed25519") && (type == KEY_ANY || type == KEY_ED25519))
+	{
+		this = botan_ed_public_key_adopt(pubkey);
+	}
+	else
+#endif
 	{
 		botan_pubkey_destroy(pubkey);
 	}
@@ -120,6 +134,7 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args)
 	return this;
 }
 
+#ifdef BOTAN_HAS_ECDSA
 /**
  * Determine the curve OID from a PKCS#8 structure
  */
@@ -139,6 +154,7 @@ static int determine_ec_oid(chunk_t pkcs8)
 	}
 	return oid;
 }
+#endif
 
 /*
  * Described in header
@@ -151,7 +167,6 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args)
 	chunk_t blob = chunk_empty;
 	botan_rng_t rng;
 	char *name;
-	int oid;
 
 	while (TRUE)
 	{
@@ -188,20 +203,35 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args)
 	botan_pubkey_destroy(pubkey);
 	if (!name)
 	{
+		botan_privkey_destroy(key);
 		return NULL;
 	}
+
+#ifdef BOTAN_HAS_RSA
 	if (streq(name, "RSA") && (type == KEY_ANY || type == KEY_RSA))
 	{
 		this = (private_key_t*)botan_rsa_private_key_adopt(key);
 	}
-	else if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
+	else
+#endif
+#ifdef BOTAN_HAS_ECDSA
+	if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
 	{
-		oid = determine_ec_oid(blob);
+		int oid = determine_ec_oid(blob);
 		if (oid != OID_UNKNOWN)
 		{
 			this = (private_key_t*)botan_ec_private_key_adopt(key, oid);
 		}
 	}
+	else
+#endif
+#ifdef BOTAN_HAS_ED25519
+	if (streq(name, "Ed25519") && (type == KEY_ANY || type == KEY_ED25519))
+	{
+		this = botan_ed_private_key_adopt(key);
+	}
+#endif
+
 	if (!this)
 	{
 		botan_privkey_destroy(key);
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
index 1d4dec565..dfc1df4d0 100644
--- a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
+++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
  * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -48,6 +49,13 @@ METHOD(public_key_t, get_type, key_type_t,
 	return KEY_ED25519;
 }
 
+/* L = 2^252+27742317777372353535851937790883648493 in little-endian form */
+static chunk_t curve25519_order = chunk_from_chars(
+								0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+								0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+								0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+								0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10);
+
 METHOD(public_key_t, verify, bool,
 	private_curve25519_public_key_t *this, signature_scheme_t scheme,
 	void *params, chunk_t data, chunk_t signature)
@@ -93,6 +101,20 @@ METHOD(public_key_t, verify, bool,
 	{
 		return FALSE;
 	}
+	/* make sure 0 <= s < L, as per RFC 8032, section 5.1.7 to prevent signature
+	 * malleability.  Due to the three-bit check above (forces s < 2^253) there
+	 * is not that much room, but adding L once works with most signatures */
+	for (i = 31; ; i--)
+	{
+		if (sig[i+32] < curve25519_order.ptr[i])
+		{
+			break;
+		}
+		else if (sig[i+32] > curve25519_order.ptr[i] || i == 0)
+		{
+			return FALSE;
+		}
+	}
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
 	if (!hasher)
@@ -200,22 +222,68 @@ static const asn1Object_t pubkeyObjects[] = {
 #define ED25519_SUBJECT_PUBLIC_KEY				2
 
 /**
+ * Parse the ASN.1-encoded subjectPublicKeyInfo
+ */
+static bool parse_public_key_info(private_curve25519_public_key_t *this,
+								  chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	bool success = FALSE;
+	int objectID, oid;
+
+	parser = asn1_parser_create(pubkeyObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM:
+			{
+				oid = asn1_parse_algorithmIdentifier(object,
+										parser->get_level(parser) + 1, NULL);
+				if (oid != OID_ED25519)
+				{
+					goto end;
+				}
+				break;
+			}
+			case ED25519_SUBJECT_PUBLIC_KEY:
+			{
+				/* encoded as an ASN1 BIT STRING */
+				if (object.len != 1 + ED25519_KEY_LEN)
+				{
+					goto end;
+				}
+				this->pubkey = chunk_clone(chunk_skip(object, 1));
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
  * See header.
  */
 curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
 													va_list args)
 {
 	private_curve25519_public_key_t *this;
-	chunk_t blob = chunk_empty, object;
-	asn1_parser_t *parser;
-	bool success = FALSE;
-	int objectID, oid;
+	chunk_t asn1 = chunk_empty, blob = chunk_empty;
 
 	while (TRUE)
 	{
 		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_BLOB_ASN1_DER:
+				asn1 = va_arg(args, chunk_t);
+				continue;
+			case BUILD_EDDSA_PUB:
 				blob = va_arg(args, chunk_t);
 				continue;
 			case BUILD_END:
@@ -244,39 +312,11 @@ curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
 		.ref = 1,
 	);
 
-	parser = asn1_parser_create(pubkeyObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
+	if (blob.len == ED25519_KEY_LEN)
 	{
-		switch (objectID)
-		{
-			case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM:
-			{
-				oid = asn1_parse_algorithmIdentifier(object,
-										parser->get_level(parser) + 1, NULL);
-				if (oid != OID_ED25519)
-				{
-					goto end;
-				}
-				break;
-			}
-			case ED25519_SUBJECT_PUBLIC_KEY:
-			{
-				/* encoded as an ASN1 BIT STRING */
-				if (object.len != 1 + ED25519_KEY_LEN)
-				{
-					goto end;
-				}
-				this->pubkey = chunk_clone(chunk_skip(object, 1));
-				break;
-			}
-		}
+		this->pubkey = chunk_clone(blob);
 	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	if (!success)
+	else if (!asn1.len || !parse_public_key_info(this, asn1))
 	{
 		destroy(this);
 		return NULL;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 45fba242b..6946e4576 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -43,10 +43,12 @@ struct private_gcrypt_plugin_t {
 	gcrypt_plugin_t public;
 };
 
+#if GCRYPT_VERSION_NUMBER < 0x010600
 /**
  * Define gcrypt multi-threading callbacks as gcry_threads_pthread
  */
 GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
 
 METHOD(plugin_t, get_name, char*,
 	private_gcrypt_plugin_t *this)
@@ -163,7 +165,9 @@ plugin_t *gcrypt_plugin_create()
 {
 	private_gcrypt_plugin_t *this;
 
+#if GCRYPT_VERSION_NUMBER < 0x010600
 	gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+#endif
 
 	if (!gcry_check_version(GCRYPT_VERSION))
 	{
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index c06f43348..394b87c27 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -187,11 +187,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 		}
 		else
 		{
-			u_int slen = hasher_hash_size(hash_algorithm);
-			if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-			{
-				slen = pss->salt_len;
-			}
+			u_int slen = pss->salt_len;
 			err = gcry_sexp_build(&in, NULL,
 							"(data(flags pss)(salt-length %u)(hash %s %b))",
 							slen, hash_name, hash.len, hash.ptr);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 9e2ac1287..bbfa5e298 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -139,11 +139,7 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 
 	if (pss)
 	{
-		u_int slen = hasher_hash_size(algorithm);
-		if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-		{
-			slen = pss->salt_len;
-		}
+		u_int slen = pss->salt_len;
 		err = gcry_sexp_build(&in, NULL,
 							  "(data(flags pss)(salt-length %u)(hash %s %b))",
 							  slen, hash_name, hash.len, hash.ptr);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index a255a40ab..2d2d5c6fb 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -393,15 +393,11 @@ static bool build_emsa_pss_signature(private_gmp_rsa_private_key_t *this,
 		goto error;
 	}
 
-	salt.len = hash.len;
+	salt.len = params->salt_len;
 	if (params->salt.len)
 	{
 		salt = params->salt;
 	}
-	else if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-	{
-		salt.len = params->salt_len;
-	}
 	if (emlen < (hash.len + salt.len + 2))
 	{	/* too long */
 		goto error;
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 9b5ee67fa..f9bd1d314 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -205,12 +205,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
 	{
 		goto error;
 	}
-	/* determine salt length */
-	salt.len = hash.len;
-	if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-	{
-		salt.len = params->salt_len;
-	}
+	salt.len = params->salt_len;
 	/* verify general structure of EM */
 	maskbits = (8 * em.len) - embits;
 	if (em.len < (hash.len + salt.len + 2) || em.ptr[em.len-1] != 0xbc ||
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index d7e35d9fd..90f8185b0 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -131,9 +131,13 @@ typedef struct {
  */
 static void conn_release(private_mysql_database_t *this, conn_t *conn)
 {
-	this->mutex->lock(this->mutex);
-	conn->in_use = FALSE;
-	this->mutex->unlock(this->mutex);
+	/* do not release the connection while transactions are using it */
+	if (!this->transaction->get(this->transaction))
+	{
+		this->mutex->lock(this->mutex);
+		conn->in_use = FALSE;
+		this->mutex->unlock(this->mutex);
+	}
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 9287f788a..d484092e7 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -29,7 +29,10 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
-	openssl_gcm.c openssl_gcm.h
+	openssl_gcm.c openssl_gcm.h \
+	openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+	openssl_ed_private_key.c openssl_ed_private_key.h \
+	openssl_ed_public_key.c openssl_ed_public_key.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = $(OPENSSL_LIB)
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 79be2e670..da04d17cf 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -145,7 +145,8 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
 	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
 	openssl_pkcs7.lo openssl_pkcs12.lo openssl_rng.lo \
-	openssl_hmac.lo openssl_gcm.lo
+	openssl_hmac.lo openssl_gcm.lo openssl_x_diffie_hellman.lo \
+	openssl_ed_private_key.lo openssl_ed_public_key.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -487,7 +488,10 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
-	openssl_gcm.c openssl_gcm.h
+	openssl_gcm.c openssl_gcm.h \
+	openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+	openssl_ed_private_key.c openssl_ed_private_key.h \
+	openssl_ed_public_key.c openssl_ed_public_key.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD = $(OPENSSL_LIB)
@@ -586,6 +590,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ed_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ed_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
@@ -598,6 +604,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x_diffie_hellman.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index bb5f20dcf..3e7490dc6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -57,6 +57,9 @@ static inline void X509_CRL_get0_signature(const X509_CRL *crl, ASN1_BIT_STRING
 #define X509_REVOKED_get0_serialNumber(r) ({ (r)->serialNumber; })
 #define X509_REVOKED_get0_revocationDate(r) ({ (r)->revocationDate; })
 #define X509_CRL_get0_extensions(c) ({ (c)->crl->extensions; })
+#define ASN1_STRING_get0_data(a) ASN1_STRING_data(a)
+#define X509_CRL_get0_lastUpdate(c) X509_CRL_get_lastUpdate(c)
+#define X509_CRL_get0_nextUpdate(c) X509_CRL_get_nextUpdate(c)
 #endif
 
 typedef struct private_openssl_crl_t private_openssl_crl_t;
@@ -193,7 +196,7 @@ METHOD(enumerator_t, crl_enumerate, bool,
 				if (ASN1_STRING_type(crlrsn) == V_ASN1_ENUMERATED &&
 					ASN1_STRING_length(crlrsn) == 1)
 				{
-					*reason = *ASN1_STRING_data(crlrsn);
+					*reason = *ASN1_STRING_get0_data(crlrsn);
 				}
 				ASN1_STRING_free(crlrsn);
 			}
@@ -288,7 +291,11 @@ METHOD(certificate_t, issued_by, bool,
 	chunk_t fingerprint, tbs;
 	public_key_t *key;
 	x509_t *x509;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	const ASN1_BIT_STRING *sig;
+#else
 	ASN1_BIT_STRING *sig;
+#endif
 	bool valid;
 
 	if (issuer->get_type(issuer) != CERT_X509)
@@ -509,7 +516,7 @@ static bool parse_extensions(private_openssl_crl_t *this)
 	bool ok;
 	int i, num;
 	X509_EXTENSION *ext;
-	STACK_OF(X509_EXTENSION) *extensions;
+	const STACK_OF(X509_EXTENSION) *extensions;
 
 	extensions = X509_CRL_get0_extensions(this->crl);
 	if (extensions)
@@ -564,7 +571,11 @@ static bool parse_crl(private_openssl_crl_t *this)
 {
 	const unsigned char *ptr = this->encoding.ptr;
 	chunk_t sig_scheme;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	const X509_ALGOR *alg;
+#else
 	X509_ALGOR *alg;
+#endif
 
 	this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len);
 	if (!this->crl)
@@ -573,7 +584,7 @@ static bool parse_crl(private_openssl_crl_t *this)
 	}
 
 	X509_CRL_get0_signature(this->crl, NULL, &alg);
-	sig_scheme = openssl_i2chunk(X509_ALGOR, alg);
+	sig_scheme = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg);
 	INIT(this->scheme);
 	if (!signature_params_parse(sig_scheme, 0, this->scheme))
 	{
@@ -588,8 +599,8 @@ static bool parse_crl(private_openssl_crl_t *this)
 	{
 		return FALSE;
 	}
-	this->thisUpdate = openssl_asn1_to_time(X509_CRL_get_lastUpdate(this->crl));
-	this->nextUpdate = openssl_asn1_to_time(X509_CRL_get_nextUpdate(this->crl));
+	this->thisUpdate = openssl_asn1_to_time(X509_CRL_get0_lastUpdate(this->crl));
+	this->nextUpdate = openssl_asn1_to_time(X509_CRL_get0_nextUpdate(this->crl));
 
 	return parse_extensions(this);
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
new file mode 100644
index 000000000..b5bc9b868
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+
+#include "openssl_ed_private_key.h"
+
+#include <utils/debug.h>
+
+typedef struct private_private_key_t private_private_key_t;
+
+/**
+ * Private data
+ */
+struct private_private_key_t {
+
+	/**
+	 * Public interface
+	 */
+	private_key_t public;
+
+	/**
+	 * Key object
+	 */
+	EVP_PKEY *key;
+
+	/**
+	 * Key type
+	 */
+	key_type_t type;
+
+	/**
+	 * TRUE if the key is from an OpenSSL ENGINE and might not be readable
+	 */
+	bool engine;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * We can't include asn1.h, declare function prototype directly
+ */
+int asn1_unwrap(chunk_t*, chunk_t*);
+
+/* from ed public key */
+int openssl_ed_key_type(key_type_t type);
+int openssl_ed_keysize(key_type_t type);
+bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type, chunk_t *fp);
+
+METHOD(private_key_t, sign, bool,
+	private_private_key_t *this, signature_scheme_t scheme,
+	void *params, chunk_t data, chunk_t *signature)
+{
+	EVP_MD_CTX *ctx;
+	bool success = FALSE;
+
+	if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) ||
+		(this->type == KEY_ED448 && scheme != SIGN_ED448))
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported by %N key",
+			 signature_scheme_names, scheme, key_type_names, this->type);
+		return FALSE;
+	}
+
+	ctx = EVP_MD_CTX_new();
+	if (!ctx ||
+		EVP_DigestSignInit(ctx, NULL, NULL, NULL, this->key) <= 0)
+	{
+		goto error;
+	}
+
+	if (EVP_DigestSign(ctx, NULL, &signature->len, data.ptr, data.len) <= 0)
+	{
+		goto error;
+	}
+
+	*signature = chunk_alloc(signature->len);
+
+	if (EVP_DigestSign(ctx, signature->ptr, &signature->len,
+					   data.ptr, data.len) <= 0)
+	{
+		goto error;
+	}
+
+	success = TRUE;
+
+error:
+	EVP_MD_CTX_free(ctx);
+	return success;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	DBG1(DBG_LIB, "EdDSA private key decryption not implemented");
+	return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_private_key_t *this)
+{
+	return openssl_ed_keysize(this->type);
+}
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_private_key_t *this)
+{
+	return this->type;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_private_key_t *this)
+{
+	public_key_t *public;
+	chunk_t key;
+
+	if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &key.len))
+	{
+		return FALSE;
+	}
+	key = chunk_alloca(key.len);
+	if (!EVP_PKEY_get_raw_public_key(this->key, key.ptr, &key.len))
+	{
+		return FALSE;
+	}
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, this->type,
+								BUILD_EDDSA_PUB, key, BUILD_END);
+	return public;
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
+{
+	return openssl_ed_fingerprint(this->key, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_private_key_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+	u_char *p;
+
+	if (this->engine)
+	{
+		return FALSE;
+	}
+
+	switch (type)
+	{
+		case PRIVKEY_ASN1_DER:
+		case PRIVKEY_PEM:
+		{
+			bool success = TRUE;
+
+			*encoding = chunk_alloc(i2d_PrivateKey(this->key, NULL));
+			p = encoding->ptr;
+			i2d_PrivateKey(this->key, &p);
+
+			if (type == PRIVKEY_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+								NULL, encoding, CRED_PART_EDDSA_PRIV_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this->key);
+		EVP_PKEY_free(this->key);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_private_key_t *create_internal(key_type_t type, EVP_PKEY *key)
+{
+	private_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.sign = _sign,
+			.decrypt = _decrypt,
+			.get_keysize = _get_keysize,
+			.get_public_key = _get_public_key,
+			.equals = private_key_equals,
+			.belongs_to = private_key_belongs_to,
+			.get_fingerprint = _get_fingerprint,
+			.has_fingerprint = private_key_has_fingerprint,
+			.get_encoding = _get_encoding,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.key = key,
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine)
+{
+	private_private_key_t *this;
+	key_type_t type;
+
+	switch (EVP_PKEY_base_id(key))
+	{
+		case EVP_PKEY_X25519:
+			type = KEY_ED25519;
+			break;
+		case EVP_PKEY_X448:
+			type = KEY_ED448;
+			break;
+		default:
+			EVP_PKEY_free(key);
+			return NULL;
+	}
+
+	this = create_internal(type, key);
+	this->engine = engine;
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args)
+{
+	private_private_key_t *this;
+	EVP_PKEY_CTX *ctx;
+	EVP_PKEY *key = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				/* just ignore the key size */
+				va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	ctx = EVP_PKEY_CTX_new_id(openssl_ed_key_type(type), NULL);
+	if (!ctx ||
+		EVP_PKEY_keygen_init(ctx) <= 0 ||
+		EVP_PKEY_keygen(ctx, &key) <= 0)
+	{
+		DBG1(DBG_LIB, "generating %N key failed", key_type_names, type);
+		EVP_PKEY_CTX_free(ctx);
+		return NULL;
+	}
+	EVP_PKEY_CTX_free(ctx);
+
+	this = create_internal(type, key);
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args)
+{
+	private_private_key_t *this;
+	chunk_t blob = chunk_empty, priv = chunk_empty;
+	EVP_PKEY *key = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_EDDSA_PRIV_ASN1_DER:
+				priv = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (priv.len)
+	{
+		/* unwrap octet string */
+		if (asn1_unwrap(&priv, &priv) == 0x04 && priv.len)
+		{
+			key = EVP_PKEY_new_raw_private_key(openssl_ed_key_type(type), NULL,
+											   priv.ptr, priv.len);
+		}
+	}
+	else if (blob.len)
+	{
+		key = d2i_PrivateKey(openssl_ed_key_type(type), NULL,
+							 (const u_char**)&blob.ptr, blob.len);
+	}
+	if (!key)
+	{
+		return NULL;
+	}
+	this = create_internal(type, key);
+	return &this->public;
+}
+
+#endif /* OPENSSL_NO_ECDSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h
new file mode 100644
index 000000000..ce9071348
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_ed_private_key openssl_ed_private_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_ED_PRIVATE_KEY_H_
+#define OPENSSL_ED_PRIVATE_KEY_H_
+
+#include <openssl/evp.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Generate an EdDSA private key using OpenSSL.
+ *
+ * @param type		type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args);
+
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_ED25519/448
+ *
+ * @param key		EVP_PKEY object (adopted)
+ * @param engine	whether the key was loaded via an engine
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine);
+
+#endif /** OPENSSL_ED_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c
new file mode 100644
index 000000000..2daddc57e
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+
+#include <openssl/x509.h>
+
+#include "openssl_ed_public_key.h"
+
+#include <utils/debug.h>
+
+typedef struct private_public_key_t private_public_key_t;
+
+/**
+ * Private data
+ */
+struct private_public_key_t {
+
+	/**
+	 * Public interface
+	 */
+	public_key_t public;
+
+	/**
+	 * Key object
+	 */
+	EVP_PKEY *key;
+
+	/**
+	 * Key type
+	 */
+	key_type_t type;
+
+	/**
+	 * Reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Map a key type to an EVP key type
+ */
+int openssl_ed_key_type(key_type_t type)
+{
+	switch (type)
+	{
+		case KEY_ED25519:
+			return EVP_PKEY_ED25519;
+		case KEY_ED448:
+			return EVP_PKEY_ED448;
+		default:
+			return 0;
+	}
+}
+
+/**
+ * Map a key type to a key size
+ */
+int openssl_ed_keysize(key_type_t type)
+{
+	switch (type)
+	{
+		case KEY_ED25519:
+			return 32 * 8;
+		case KEY_ED448:
+			return 57 * 8;
+		default:
+			return 0;
+	}
+}
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_public_key_t *this)
+{
+	return this->type;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_public_key_t *this, signature_scheme_t scheme,
+	void *params, chunk_t data, chunk_t signature)
+{
+	EVP_MD_CTX *ctx;
+
+	if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) ||
+		(this->type == KEY_ED448 && scheme != SIGN_ED448))
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported by %N key",
+			 signature_scheme_names, scheme, key_type_names, this->type);
+		return FALSE;
+	}
+
+	ctx = EVP_MD_CTX_new();
+	if (!ctx ||
+		EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, this->key) <= 0 ||
+		EVP_DigestVerify(ctx, signature.ptr, signature.len,
+						 data.ptr, data.len) <= 0)
+	{
+		EVP_MD_CTX_free(ctx);
+		return FALSE;
+	}
+	EVP_MD_CTX_free(ctx);
+	return TRUE;
+}
+
+METHOD(public_key_t, encrypt, bool,
+	private_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+		 scheme);
+	return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_public_key_t *this)
+{
+	return openssl_ed_keysize(this->type);
+}
+
+/**
+ * Calculate fingerprint from an EdDSA key, also used in ed private key.
+ */
+bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type,
+							chunk_t *fp)
+{
+	hasher_t *hasher;
+	chunk_t blob;
+	u_char *p;
+
+	if (lib->encoding->get_cache(lib->encoding, type, key, fp))
+	{
+		return TRUE;
+	}
+	switch (type)
+	{
+		case KEYID_PUBKEY_SHA1:
+			if (!EVP_PKEY_get_raw_public_key(key, NULL, &blob.len))
+			{
+				return FALSE;
+			}
+			blob = chunk_alloca(blob.len);
+			if (!EVP_PKEY_get_raw_public_key(key, blob.ptr, &blob.len))
+			{
+				return FALSE;
+			}
+			break;
+		case KEYID_PUBKEY_INFO_SHA1:
+			blob = chunk_alloca(i2d_PUBKEY(key, NULL));
+			p = blob.ptr;
+			i2d_PUBKEY(key, &p);
+			break;
+		default:
+			return FALSE;
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, blob, fp))
+	{
+		DBG1(DBG_LIB, "SHA1 not supported, fingerprinting failed");
+		DESTROY_IF(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	lib->encoding->cache(lib->encoding, type, key, *fp);
+	return TRUE;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_public_key_t *this, cred_encoding_type_t type, chunk_t *fingerprint)
+{
+	return openssl_ed_fingerprint(this->key, type, fingerprint);
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_public_key_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+	bool success = TRUE;
+	u_char *p;
+
+	*encoding = chunk_alloc(i2d_PUBKEY(this->key, NULL));
+	p = encoding->ptr;
+	i2d_PUBKEY(this->key, &p);
+
+	if (type != PUBKEY_SPKI_ASN1_DER)
+	{
+		chunk_t asn1_encoding = *encoding;
+
+		success = lib->encoding->encode(lib->encoding, type,
+								NULL, encoding, CRED_PART_EDDSA_PUB_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
+		chunk_clear(&asn1_encoding);
+	}
+	return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this->key);
+		EVP_PKEY_free(this->key);
+		free(this);
+	}
+}
+
+/**
+ * Generic private constructor
+ */
+static private_public_key_t *create_empty(key_type_t type)
+{
+	private_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.verify = _verify,
+			.encrypt = _encrypt,
+			.get_keysize = _get_keysize,
+			.equals = public_key_equals,
+			.get_fingerprint = _get_fingerprint,
+			.has_fingerprint = public_key_has_fingerprint,
+			.get_encoding = _get_encoding,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args)
+{
+	private_public_key_t *this;
+	chunk_t blob = chunk_empty, pub = chunk_empty;
+	EVP_PKEY *key = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_EDDSA_PUB:
+				pub = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (pub.len)
+	{
+		key = EVP_PKEY_new_raw_public_key(openssl_ed_key_type(type), NULL,
+										  pub.ptr, pub.len);
+	}
+	else if (blob.len)
+	{
+		key = d2i_PUBKEY(NULL, (const u_char**)&blob.ptr, blob.len);
+		if (key && EVP_PKEY_base_id(key) != openssl_ed_key_type(type))
+		{
+			EVP_PKEY_free(key);
+			return NULL;
+		}
+	}
+	if (!key)
+	{
+		return NULL;
+	}
+	this = create_empty(type);
+	this->key = key;
+	return &this->public;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h
new file mode 100644
index 000000000..c4e1ba3ed
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_ed_public_key openssl_ed_public_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_ED_PUBLIC_KEY_H_
+#define OPENSSL_ED_PUBLIC_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+/**
+ * Load an EdDSA public key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args);
+
+#endif /** OPENSSL_ED_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 8b0a7c5c7..cbeb6c3b7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -47,6 +47,9 @@
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
 #include "openssl_gcm.h"
+#include "openssl_x_diffie_hellman.h"
+#include "openssl_ed_public_key.h"
+#include "openssl_ed_private_key.h"
 
 #ifndef FIPS_MODE
 #define FIPS_MODE 0
@@ -307,6 +310,11 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
 				case EVP_PKEY_EC:
 					return openssl_ec_private_key_create(key, FALSE);
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+				case EVP_PKEY_ED25519:
+				case EVP_PKEY_ED448:
+					return openssl_ed_private_key_create(key, FALSE);
+#endif /* OPENSSL_VERSION_NUMBER */
 				default:
 					EVP_PKEY_free(key);
 					break;
@@ -370,7 +378,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
 #ifndef OPENSSL_NO_ENGINE
 	char *engine_id = NULL;
 	char keyname[BUF_LEN];
-	chunk_t keyid = chunk_empty;;
+	chunk_t keyid = chunk_empty;
 	EVP_PKEY *key;
 	ENGINE *engine;
 	int slot = -1;
@@ -395,7 +403,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
 		}
 		break;
 	}
-	if (!keyid.len || keyid.len > 40)
+	if (!keyid.len)
 	{
 		return NULL;
 	}
@@ -405,7 +413,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
 	{
 		snprintf(keyname, sizeof(keyname), "%d:", slot);
 	}
-	if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
+	if (sizeof(keyname) - strlen(keyname) <= keyid.len * 2 + 1)
 	{
 		return NULL;
 	}
@@ -428,21 +436,21 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
 		ENGINE_free(engine);
 		return NULL;
 	}
+	ENGINE_free(engine);
 	if (!login(engine, keyid))
 	{
 		DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
-		ENGINE_free(engine);
+		ENGINE_finish(engine);
 		return NULL;
 	}
 	key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
+	ENGINE_finish(engine);
 	if (!key)
 	{
 		DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
 			 "engine '%s'", keyname, engine_id);
-		ENGINE_free(engine);
 		return NULL;
 	}
-	ENGINE_free(engine);
 
 	switch (EVP_PKEY_base_id(key))
 	{
@@ -454,6 +462,11 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
 		case EVP_PKEY_EC:
 			return openssl_ec_private_key_create(key, TRUE);
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+		case EVP_PKEY_ED25519:
+		case EVP_PKEY_ED448:
+			return openssl_ed_private_key_create(key, TRUE);
+#endif /* OPENSSL_VERSION_NUMBER */
 		default:
 			EVP_PKEY_free(key);
 			break;
@@ -594,7 +607,7 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(DH, ECP_384_BP),
 			PLUGIN_PROVIDE(DH, ECP_512_BP),
 			PLUGIN_PROVIDE(DH, ECP_224_BP),
-#endif
+#endif /* OPENSSL_NO_ECDH */
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
@@ -699,6 +712,30 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+		PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create),
+			/* available since 1.1.0a, but we require 1.1.1 features */
+			PLUGIN_PROVIDE(DH, CURVE_25519),
+			/* available since 1.1.1 */
+			PLUGIN_PROVIDE(DH, CURVE_448),
+		/* EdDSA private/public key loading */
+		PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
+		PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
+		PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
+		/* register a pro forma identity hasher, never instantiated */
+		PLUGIN_REGISTER(HASHER, return_null),
+			PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
 		/* generic key loader */
 		PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index a25b6b4b6..d3993749f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012-2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Aleksandr Grinberg
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -24,7 +27,6 @@
 #include <utils/debug.h>
 
 #include <openssl/rand.h>
-#include <openssl/err.h>
 
 #include "openssl_rng.h"
 
@@ -49,6 +51,13 @@ struct private_openssl_rng_t {
 METHOD(rng_t, get_bytes, bool,
 	private_openssl_rng_t *this, size_t bytes, uint8_t *buffer)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
+	if (this->quality > RNG_WEAK)
+	{	/* use a separate DRBG for data we want to keep private, compared
+		 * to e.g. nonces */
+		return RAND_priv_bytes((char*)buffer, bytes) == 1;
+	}
+#endif
 	return RAND_bytes((char*)buffer, bytes) == 1;
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 401a51a0b..8a9fdfe25 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -103,13 +103,8 @@ static bool build_signature(private_openssl_rsa_private_key_t *this,
 	if (pss)
 	{
 		const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash);
-		int slen = EVP_MD_size(md);
-		if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-		{
-			slen = pss->salt_len;
-		}
 		if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
-			EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 ||
+			EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 ||
 			EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0)
 		{
 			goto error;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 20bf30ae9..38b4eda35 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -95,13 +95,8 @@ static bool verify_signature(private_openssl_rsa_public_key_t *this,
 	if (pss)
 	{
 		const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash);
-		int slen = EVP_MD_size(md);
-		if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
-		{
-			slen = pss->salt_len;
-		}
 		if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
-			EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 ||
+			EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 ||
 			EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0)
 		{
 			goto error;
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index b7f969f73..f99dcd6b1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -26,6 +26,7 @@
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define OBJ_get0_data(o) ((o)->data)
 #define OBJ_length(o) ((o)->length)
+#define ASN1_STRING_get0_data(a) ASN1_STRING_data((ASN1_STRING*)a)
 #endif
 
 /**
@@ -164,11 +165,12 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1)
 /**
  * Described in header.
  */
-chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1)
+chunk_t openssl_asn1_str2chunk(const ASN1_STRING *asn1)
 {
 	if (asn1)
 	{
-		return chunk_create(ASN1_STRING_data(asn1), ASN1_STRING_length(asn1));
+		return chunk_create((u_char*)ASN1_STRING_get0_data(asn1),
+							ASN1_STRING_length(asn1));
 	}
 	return chunk_empty;
 }
@@ -212,7 +214,7 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj)
 /**
  * Described in header.
  */
-time_t openssl_asn1_to_time(ASN1_TIME *time)
+time_t openssl_asn1_to_time(const ASN1_TIME *time)
 {
 	chunk_t chunk;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index 80e557fa8..4afe76bf2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -109,7 +109,7 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1);
  * @param asn1		asn1 string to convert
  * @return			chunk, pointing into asn1 string
  */
-chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1);
+chunk_t openssl_asn1_str2chunk(const ASN1_STRING *asn1);
 
 /**
  * Convert an openssl X509_NAME to a identification_t of type ID_DER_ASN1_DN.
@@ -133,7 +133,7 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
  * @param time		openssl ASN1_TIME
  * @returns			time_t, 0 on error
  */
-time_t openssl_asn1_to_time(ASN1_TIME *time);
+time_t openssl_asn1_to_time(const ASN1_TIME *time);
 
 /**
  * Compatibility macros
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index fae2d678f..fe21b0221 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -389,7 +389,11 @@ METHOD(certificate_t, issued_by, bool,
 	public_key_t *key;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	const ASN1_BIT_STRING *sig;
+#else
 	ASN1_BIT_STRING *sig;
+#endif
 	chunk_t tbs;
 
 	if (&this->public.x509.interface == issuer)
@@ -993,7 +997,7 @@ static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this,
  */
 static bool parse_extensions(private_openssl_x509_t *this)
 {
-	STACK_OF(X509_EXTENSION) *extensions;
+	const STACK_OF(X509_EXTENSION) *extensions;
 	int i, num;
 
 	/* unless we see a keyUsage extension we are compliant with RFC 4945 */
@@ -1077,7 +1081,11 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	hasher_t *hasher;
 	chunk_t chunk, sig_scheme, sig_scheme_tbs;
 	ASN1_OBJECT *oid;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	const X509_ALGOR *alg;
+#else
 	X509_ALGOR *alg;
+#endif
 
 	this->x509 = d2i_X509(NULL, &ptr, this->encoding.len);
 	if (!this->x509)
@@ -1135,9 +1143,9 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	/* while X509_ALGOR_cmp() is declared in the headers of older OpenSSL
 	 * versions, at least on Ubuntu 14.04 it is not actually defined */
 	X509_get0_signature(NULL, &alg, this->x509);
-	sig_scheme = openssl_i2chunk(X509_ALGOR, alg);
+	sig_scheme = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg);
 	alg = X509_get0_tbs_sigalg(this->x509);
-	sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, alg);
+	sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg);
 	if (!chunk_equals(sig_scheme, sig_scheme_tbs))
 	{
 		free(sig_scheme_tbs.ptr);
diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c
new file mode 100644
index 000000000..37943f5bf
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+/* basic support for X25519 was added with 1.1.0a, but we require features (e.g.
+ * to load the keys) that were only added with 1.1.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH)
+
+#include "openssl_x_diffie_hellman.h"
+
+#include <utils/debug.h>
+
+typedef struct private_diffie_hellman_t private_diffie_hellman_t;
+
+/**
+ * Private data
+ */
+struct private_diffie_hellman_t {
+	/**
+	 * Public interface.
+	 */
+	diffie_hellman_t public;
+
+	/**
+	 * Diffie Hellman group number.
+	 */
+	diffie_hellman_group_t group;
+
+	/**
+	 * Private (public) key
+	 */
+	EVP_PKEY *key;
+
+	/**
+	 * Shared secret
+	 */
+	chunk_t shared_secret;
+
+	/**
+	 * True if shared secret is computed
+	 */
+	bool computed;
+};
+
+/**
+ * Map a DH group to a key type
+ */
+static int map_key_type(diffie_hellman_group_t group)
+{
+	switch (group)
+	{
+		case CURVE_25519:
+			return EVP_PKEY_X25519;
+		case CURVE_448:
+			return EVP_PKEY_X448;
+		default:
+			return 0;
+	}
+}
+
+/**
+ * Compute the shared secret
+ */
+static bool compute_shared_key(private_diffie_hellman_t *this, EVP_PKEY *pub,
+							   chunk_t *shared_secret)
+{
+	EVP_PKEY_CTX *ctx;
+	bool success = FALSE;
+
+	ctx = EVP_PKEY_CTX_new(this->key, NULL);
+	if (!ctx)
+	{
+		return FALSE;
+	}
+
+	if (EVP_PKEY_derive_init(ctx) <= 0)
+	{
+		goto error;
+	}
+
+	if (EVP_PKEY_derive_set_peer(ctx, pub) <= 0)
+	{
+		goto error;
+	}
+
+	if (EVP_PKEY_derive(ctx, NULL, &shared_secret->len) <= 0)
+	{
+		goto error;
+	}
+
+	*shared_secret = chunk_alloc(shared_secret->len);
+
+	if (EVP_PKEY_derive(ctx, shared_secret->ptr, &shared_secret->len) <= 0)
+	{
+		goto error;
+	}
+
+	success = TRUE;
+
+error:
+	EVP_PKEY_CTX_free(ctx);
+	return success;
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+	private_diffie_hellman_t *this, chunk_t value)
+{
+	EVP_PKEY *pub;
+
+	if (!diffie_hellman_verify_value(this->group, value))
+	{
+		return FALSE;
+	}
+
+	pub =  EVP_PKEY_new_raw_public_key(map_key_type(this->group), NULL,
+                                       value.ptr, value.len);
+	if (!pub)
+	{
+		DBG1(DBG_LIB, "%N public value is malformed",
+			 diffie_hellman_group_names, this->group);
+		return FALSE;
+	}
+
+	chunk_clear(&this->shared_secret);
+
+	if (!compute_shared_key(this, pub, &this->shared_secret))
+	{
+		DBG1(DBG_LIB, "%N shared secret computation failed",
+			 diffie_hellman_group_names, this->group);
+		EVP_PKEY_free(pub);
+		return FALSE;
+	}
+	this->computed = TRUE;
+	EVP_PKEY_free(pub);
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+	private_diffie_hellman_t *this, chunk_t *value)
+{
+	size_t len;
+
+	if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &len))
+	{
+		return FALSE;
+	}
+
+	*value = chunk_alloc(len);
+
+	if (!EVP_PKEY_get_raw_public_key(this->key, value->ptr, &value->len))
+	{
+		chunk_free(value);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, set_private_value, bool,
+	private_diffie_hellman_t *this, chunk_t value)
+{
+	EVP_PKEY_free(this->key);
+	this->key = EVP_PKEY_new_raw_private_key(map_key_type(this->group), NULL,
+											 value.ptr, value.len);
+	if (!this->key)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+	private_diffie_hellman_t *this, chunk_t *secret)
+{
+	if (!this->computed)
+	{
+		return FALSE;
+	}
+	*secret = chunk_clone(this->shared_secret);
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_diffie_hellman_t *this)
+{
+	EVP_PKEY_free(this->key);
+	chunk_clear(&this->shared_secret);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+diffie_hellman_t *openssl_x_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	private_diffie_hellman_t *this;
+	EVP_PKEY_CTX *ctx = NULL;
+	EVP_PKEY *key = NULL;
+
+	switch (group)
+	{
+		case CURVE_25519:
+			ctx = EVP_PKEY_CTX_new_id(NID_X25519, NULL);
+			break;
+		case CURVE_448:
+			ctx = EVP_PKEY_CTX_new_id(NID_X448, NULL);
+			break;
+		default:
+			break;
+	}
+
+	if (!ctx ||
+		EVP_PKEY_keygen_init(ctx) <= 0 ||
+		EVP_PKEY_keygen(ctx, &key) <= 0)
+	{
+		DBG1(DBG_LIB, "generating key for %N failed",
+			 diffie_hellman_group_names, group);
+		EVP_PKEY_CTX_free(ctx);
+		return NULL;
+	}
+	EVP_PKEY_CTX_free(ctx);
+
+	INIT(this,
+		.public = {
+			.get_shared_secret = _get_shared_secret,
+			.set_other_public_value = _set_other_public_value,
+			.get_my_public_value = _get_my_public_value,
+			.set_private_value = _set_private_value,
+			.get_dh_group = _get_dh_group,
+			.destroy = _destroy,
+		},
+		.group = group,
+		.key = key,
+	);
+	return &this->public;
+}
+
+#endif /* OPENSSL_NO_ECDH */
diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h
new file mode 100644
index 000000000..e28f38d15
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implementation of the X25519/X448 Diffie-Hellman algorithm using OpenSSL.
+ *
+ * @defgroup openssl_x_diffie_hellman openssl_x_diffie_hellman
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_X_DIFFIE_HELLMAN_H_
+#define OPENSSL_X_DIFFIE_HELLMAN_H_
+
+#include <library.h>
+
+/**
+ * Creates a new diffie_hellman_t object.
+ *
+ * @param group			Diffie Hellman group number to use
+ * @return				object, NULL if not supported
+ */
+diffie_hellman_t *openssl_x_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /** OPENSSL_X_DIFFIE_HELLMAN_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
index eab6559b3..934514249 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Tobias Brunner
+ * Copyright (C) 2013-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -89,6 +89,34 @@ static sshkey_public_key_t *parse_public_key(chunk_t blob)
 		return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
 	}
+	else if (chunk_equals(format, chunk_from_str("ssh-ed25519")))
+	{
+		chunk_t blob;
+
+		if (!reader->read_data32(reader, &blob))
+		{
+			DBG1(DBG_LIB, "invalid Ed25519 key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+								  BUILD_EDDSA_PUB, blob, BUILD_END);
+	}
+	else if (chunk_equals(format, chunk_from_str("ssh-ed448")))
+	{
+		chunk_t blob;
+
+		if (!reader->read_data32(reader, &blob))
+		{
+			DBG1(DBG_LIB, "invalid Ed448 key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+								  BUILD_EDDSA_PUB, blob, BUILD_END);
+	}
 	else if (format.len > strlen(ECDSA_PREFIX) &&
 			 strpfx(format.ptr, ECDSA_PREFIX))
 	{
@@ -140,8 +168,9 @@ static sshkey_public_key_t *load_from_stream(FILE *file)
 	char line[1024], *token;
 
 	while (!public && fgets(line, sizeof(line), file))
-	{	/* the format is: ssh-rsa|ecdsa-... <key(base64)> <identifier> */
-		if (!strpfx(line, "ssh-rsa") && !strpfx(line, ECDSA_PREFIX))
+	{	/* the format is: ssh-<key-type> <key(base64)> <identifier> */
+		if (!strpfx(line, "ssh-rsa") && !strpfx(line, ECDSA_PREFIX) &&
+			!strpfx(line, "ssh-ed25519") && !strpfx(line, "ssh-ed448"))
 		{
 			continue;
 		}
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
index 9f5f8bd1f..ed35fc010 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -72,6 +72,42 @@ static bool build_public_key(chunk_t *encoding, va_list args)
 		writer->destroy(writer);
 		return TRUE;
 	}
+	else if (cred_encoding_args(args, CRED_PART_EDDSA_PUB_ASN1_DER, &n,
+								CRED_PART_END))
+	{
+		chunk_t alg;
+		char *prefix;
+		int oid;
+
+		/* parse subjectPublicKeyInfo */
+		if (asn1_unwrap(&n, &n) != ASN1_SEQUENCE)
+		{
+			return FALSE;
+		}
+		oid = asn1_parse_algorithmIdentifier(n, 1, NULL);
+		switch (oid)
+		{
+			case OID_ED25519:
+				prefix = "ssh-ed25519";
+				break;
+			case OID_ED448:
+				prefix = "ssh-ed448";
+				break;
+			default:
+				return FALSE;
+		}
+		if (asn1_unwrap(&n, &alg) != ASN1_SEQUENCE ||
+			asn1_unwrap(&n, &n) != ASN1_BIT_STRING || !n.len)
+		{
+			return FALSE;
+		}
+		writer = bio_writer_create(0);
+		writer->write_data32(writer, chunk_from_str(prefix));
+		writer->write_data32(writer, chunk_skip(n, 1));
+		*encoding = chunk_to_base64(writer->get_buf(writer), NULL);
+		writer->destroy(writer);
+		return TRUE;
+	}
 	else if (cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER, &n,
 								CRED_PART_END))
 	{
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index c4d9f2fc5..3d34cf7c9 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -49,6 +49,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/ecp.c \
 	test_vectors/ecpbp.c \
 	test_vectors/curve25519.c \
+	test_vectors/curve448.c \
 	test_vectors/rng.c
 
 libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 7f6c319c6..ed3ae0f40 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -156,7 +156,8 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
 	test_vectors/sha3_shake.lo test_vectors/fips_prf.lo \
 	test_vectors/modp.lo test_vectors/modpsub.lo \
 	test_vectors/ecp.lo test_vectors/ecpbp.lo \
-	test_vectors/curve25519.lo test_vectors/rng.lo
+	test_vectors/curve25519.lo test_vectors/curve448.lo \
+	test_vectors/rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -518,6 +519,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/ecp.c \
 	test_vectors/ecpbp.c \
 	test_vectors/curve25519.c \
+	test_vectors/curve448.c \
 	test_vectors/rng.c
 
 libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
@@ -680,6 +682,8 @@ test_vectors/ecpbp.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/curve25519.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
+test_vectors/curve448.lo: test_vectors/$(am__dirstamp) \
+	test_vectors/$(DEPDIR)/$(am__dirstamp)
 test_vectors/rng.lo: test_vectors/$(am__dirstamp) \
 	test_vectors/$(DEPDIR)/$(am__dirstamp)
 
@@ -710,6 +714,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20_xof.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20poly1305.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/curve25519.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/curve448.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/des.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecpbp.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 7ab965a82..7c8ac0c6e 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -116,6 +116,7 @@ TEST_VECTOR_AEAD(aes_gcm23)
 TEST_VECTOR_AEAD(chacha20poly1305_1)
 TEST_VECTOR_AEAD(chacha20poly1305_2)
 TEST_VECTOR_AEAD(chacha20poly1305_3)
+TEST_VECTOR_AEAD(chacha20poly1305_4)
 
 TEST_VECTOR_SIGNER(aes_xcbc_s1)
 TEST_VECTOR_SIGNER(aes_xcbc_s2)
@@ -305,3 +306,4 @@ TEST_VECTOR_DH(ecp384bp)
 TEST_VECTOR_DH(ecp512bp)
 TEST_VECTOR_DH(curve25519_1)
 TEST_VECTOR_DH(curve25519_2)
+TEST_VECTOR_DH(curve448_1)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c
index 21726cbbb..dcbfe5ca3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c
@@ -16,10 +16,40 @@
 #include <crypto/crypto_tester.h>
 
 /**
- * From draft-irtf-cfrg-chacha20-poly1305
+ * From RFC 7539
  */
 aead_test_vector_t chacha20poly1305_1 = {
 	.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
+	.len = 114, .alen = 12,
+	.key	= "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
+			  "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
+			  "\x07\x00\x00\x00",
+	.iv		= "\x40\x41\x42\x43\x44\x45\x46\x47",
+	.adata	= "\x50\x51\x52\x53\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7",
+	.plain	= "\x4c\x61\x64\x69\x65\x73\x20\x61\x6e\x64\x20\x47\x65\x6e\x74\x6c"
+			  "\x65\x6d\x65\x6e\x20\x6f\x66\x20\x74\x68\x65\x20\x63\x6c\x61\x73"
+			  "\x73\x20\x6f\x66\x20\x27\x39\x39\x3a\x20\x49\x66\x20\x49\x20\x63"
+			  "\x6f\x75\x6c\x64\x20\x6f\x66\x66\x65\x72\x20\x79\x6f\x75\x20\x6f"
+			  "\x6e\x6c\x79\x20\x6f\x6e\x65\x20\x74\x69\x70\x20\x66\x6f\x72\x20"
+			  "\x74\x68\x65\x20\x66\x75\x74\x75\x72\x65\x2c\x20\x73\x75\x6e\x73"
+			  "\x63\x72\x65\x65\x6e\x20\x77\x6f\x75\x6c\x64\x20\x62\x65\x20\x69"
+			  "\x74\x2e",
+	.cipher	= "\xd3\x1a\x8d\x34\x64\x8e\x60\xdb\x7b\x86\xaf\xbc\x53\xef\x7e\xc2"
+			  "\xa4\xad\xed\x51\x29\x6e\x08\xfe\xa9\xe2\xb5\xa7\x36\xee\x62\xd6"
+			  "\x3d\xbe\xa4\x5e\x8c\xa9\x67\x12\x82\xfa\xfb\x69\xda\x92\x72\x8b"
+			  "\x1a\x71\xde\x0a\x9e\x06\x0b\x29\x05\xd6\xa5\xb6\x7e\xcd\x3b\x36"
+			  "\x92\xdd\xbd\x7f\x2d\x77\x8b\x8c\x98\x03\xae\xe3\x28\x09\x1b\x58"
+			  "\xfa\xb3\x24\xe4\xfa\xd6\x75\x94\x55\x85\x80\x8b\x48\x31\xd7\xbc"
+			  "\x3f\xf4\xde\xf0\x8e\x4b\x7a\x9d\xe5\x76\xd2\x65\x86\xce\xc6\x4b"
+			  "\x61\x16\x1a\xe1\x0b\x59\x4f\x09\xe2\x6a\x7e\x90\x2e\xcb\xd0\x60"
+			  "\x06\x91",
+};
+
+/**
+ * Additional test vector from RFC 7539
+ */
+aead_test_vector_t chacha20poly1305_2 = {
+	.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
 	.len = 265, .alen = 12,
 	.key	= "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a\xf3\x33\x88\x86\x04\xf6\xb5\xf0"
 			  "\x47\x39\x17\xc1\x40\x2b\x80\x09\x9d\xca\x5c\xbc\x20\x70\x75\xc0"
@@ -64,9 +94,9 @@ aead_test_vector_t chacha20poly1305_1 = {
 };
 
 /**
- * ESP example from draft-ietf-ipsecme-chacha20-poly1305-06
+ * ESP example from RFC 7634
  */
-aead_test_vector_t chacha20poly1305_2 = {
+aead_test_vector_t chacha20poly1305_3 = {
 	.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
 	.len = 88, .alen = 8,
 	.key	= "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
@@ -90,9 +120,9 @@ aead_test_vector_t chacha20poly1305_2 = {
 };
 
 /**
- * IKEv2 example from draft-ietf-ipsecme-chacha20-poly1305-06
+ * IKEv2 example from RFC 7634
  */
-aead_test_vector_t chacha20poly1305_3 = {
+aead_test_vector_t chacha20poly1305_4 = {
 	.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
 	.len = 13, .alen = 32,
 	.key	= "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
index 676fcfc5a..23c024a37 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
@@ -16,7 +16,7 @@
 #include <crypto/crypto_tester.h>
 
 /**
- * From RFC 8037
+ * From RFC 7748
  */
 dh_test_vector_t curve25519_1 = {
 	.group = CURVE_25519, .priv_len = 32, .pub_len = 32, .shared_len = 32,
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c
new file mode 100644
index 000000000..fccbb808a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * From RFC 7748
+ */
+dh_test_vector_t curve448_1 = {
+	.group = CURVE_448, .priv_len = 56, .pub_len = 56, .shared_len = 56,
+	.priv_a	= "\x9a\x8f\x49\x25\xd1\x51\x9f\x57\x75\xcf\x46\xb0\x4b\x58\x00\xd4"
+			  "\xee\x9e\xe8\xba\xe8\xbc\x55\x65\xd4\x98\xc2\x8d\xd9\xc9\xba\xf5"
+			  "\x74\xa9\x41\x97\x44\x89\x73\x91\x00\x63\x82\xa6\xf1\x27\xab\x1d"
+			  "\x9a\xc2\xd8\xc0\xa5\x98\x72\x6b",
+	.priv_b = "\x1c\x30\x6a\x7a\xc2\xa0\xe2\xe0\x99\x0b\x29\x44\x70\xcb\xa3\x39"
+			  "\xe6\x45\x37\x72\xb0\x75\x81\x1d\x8f\xad\x0d\x1d\x69\x27\xc1\x20"
+			  "\xbb\x5e\xe8\x97\x2b\x0d\x3e\x21\x37\x4c\x9c\x92\x1b\x09\xd1\xb0"
+			  "\x36\x6f\x10\xb6\x51\x73\x99\x2d",
+	.pub_a	= "\x9b\x08\xf7\xcc\x31\xb7\xe3\xe6\x7d\x22\xd5\xae\xa1\x21\x07\x4a"
+			  "\x27\x3b\xd2\xb8\x3d\xe0\x9c\x63\xfa\xa7\x3d\x2c\x22\xc5\xd9\xbb"
+			  "\xc8\x36\x64\x72\x41\xd9\x53\xd4\x0c\x5b\x12\xda\x88\x12\x0d\x53"
+			  "\x17\x7f\x80\xe5\x32\xc4\x1f\xa0",
+	.pub_b	= "\x3e\xb7\xa8\x29\xb0\xcd\x20\xf5\xbc\xfc\x0b\x59\x9b\x6f\xec\xcf"
+			  "\x6d\xa4\x62\x71\x07\xbd\xb0\xd4\xf3\x45\xb4\x30\x27\xd8\xb9\x72"
+			  "\xfc\x3e\x34\xfb\x42\x32\xa1\x3c\xa7\x06\xdc\xb5\x7a\xec\x3d\xae"
+			  "\x07\xbd\xc1\xc6\x7b\xf3\x36\x09",
+	.shared	= "\x07\xff\xf4\x18\x1a\xc6\xcc\x95\xec\x1c\x16\xa9\x4a\x0f\x74\xd1"
+			  "\x2d\xa2\x32\xce\x40\xa7\x75\x52\x28\x1d\x28\x2b\xb6\x0c\x0b\x56"
+			  "\xfd\x24\x64\xc3\x35\x54\x39\x36\x52\x1c\x24\x40\x30\x85\xd5\x9a"
+			  "\x44\x9a\x50\x37\x51\x4a\x87\x9d",
+};
diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c
index c29dfa57b..a88a58f0e 100644
--- a/src/libstrongswan/settings/settings_lexer.c
+++ b/src/libstrongswan/settings/settings_lexer.c
@@ -7,7 +7,6 @@
 /* A lexical scanner generated by flex */
 
 /* %not-for-header */
-
 /* %if-c-only */
 /* %if-not-reentrant */
 /* %endif */
@@ -17,7 +16,7 @@
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 6
-#define YY_FLEX_SUBMINOR_VERSION 0
+#define YY_FLEX_SUBMINOR_VERSION 4
 #if YY_FLEX_SUBMINOR_VERSION > 0
 #define FLEX_BETA
 #endif
@@ -26,9 +25,230 @@
 /* %endif */
 
 /* %if-c-only */
-    
+#ifdef yy_create_buffer
+#define settings_parser__create_buffer_ALREADY_DEFINED
+#else
+#define yy_create_buffer settings_parser__create_buffer
+#endif
+
+#ifdef yy_delete_buffer
+#define settings_parser__delete_buffer_ALREADY_DEFINED
+#else
+#define yy_delete_buffer settings_parser__delete_buffer
+#endif
+
+#ifdef yy_scan_buffer
+#define settings_parser__scan_buffer_ALREADY_DEFINED
+#else
+#define yy_scan_buffer settings_parser__scan_buffer
+#endif
+
+#ifdef yy_scan_string
+#define settings_parser__scan_string_ALREADY_DEFINED
+#else
+#define yy_scan_string settings_parser__scan_string
+#endif
+
+#ifdef yy_scan_bytes
+#define settings_parser__scan_bytes_ALREADY_DEFINED
+#else
+#define yy_scan_bytes settings_parser__scan_bytes
+#endif
+
+#ifdef yy_init_buffer
+#define settings_parser__init_buffer_ALREADY_DEFINED
+#else
+#define yy_init_buffer settings_parser__init_buffer
+#endif
+
+#ifdef yy_flush_buffer
+#define settings_parser__flush_buffer_ALREADY_DEFINED
+#else
+#define yy_flush_buffer settings_parser__flush_buffer
+#endif
+
+#ifdef yy_load_buffer_state
+#define settings_parser__load_buffer_state_ALREADY_DEFINED
+#else
+#define yy_load_buffer_state settings_parser__load_buffer_state
+#endif
+
+#ifdef yy_switch_to_buffer
+#define settings_parser__switch_to_buffer_ALREADY_DEFINED
+#else
+#define yy_switch_to_buffer settings_parser__switch_to_buffer
+#endif
+
+#ifdef yypush_buffer_state
+#define settings_parser_push_buffer_state_ALREADY_DEFINED
+#else
+#define yypush_buffer_state settings_parser_push_buffer_state
+#endif
+
+#ifdef yypop_buffer_state
+#define settings_parser_pop_buffer_state_ALREADY_DEFINED
+#else
+#define yypop_buffer_state settings_parser_pop_buffer_state
+#endif
+
+#ifdef yyensure_buffer_stack
+#define settings_parser_ensure_buffer_stack_ALREADY_DEFINED
+#else
+#define yyensure_buffer_stack settings_parser_ensure_buffer_stack
+#endif
+
+#ifdef yylex
+#define settings_parser_lex_ALREADY_DEFINED
+#else
+#define yylex settings_parser_lex
+#endif
+
+#ifdef yyrestart
+#define settings_parser_restart_ALREADY_DEFINED
+#else
+#define yyrestart settings_parser_restart
+#endif
+
+#ifdef yylex_init
+#define settings_parser_lex_init_ALREADY_DEFINED
+#else
+#define yylex_init settings_parser_lex_init
+#endif
+
+#ifdef yylex_init_extra
+#define settings_parser_lex_init_extra_ALREADY_DEFINED
+#else
+#define yylex_init_extra settings_parser_lex_init_extra
+#endif
+
+#ifdef yylex_destroy
+#define settings_parser_lex_destroy_ALREADY_DEFINED
+#else
+#define yylex_destroy settings_parser_lex_destroy
+#endif
+
+#ifdef yyget_debug
+#define settings_parser_get_debug_ALREADY_DEFINED
+#else
+#define yyget_debug settings_parser_get_debug
+#endif
+
+#ifdef yyset_debug
+#define settings_parser_set_debug_ALREADY_DEFINED
+#else
+#define yyset_debug settings_parser_set_debug
+#endif
+
+#ifdef yyget_extra
+#define settings_parser_get_extra_ALREADY_DEFINED
+#else
+#define yyget_extra settings_parser_get_extra
+#endif
+
+#ifdef yyset_extra
+#define settings_parser_set_extra_ALREADY_DEFINED
+#else
+#define yyset_extra settings_parser_set_extra
+#endif
+
+#ifdef yyget_in
+#define settings_parser_get_in_ALREADY_DEFINED
+#else
+#define yyget_in settings_parser_get_in
+#endif
+
+#ifdef yyset_in
+#define settings_parser_set_in_ALREADY_DEFINED
+#else
+#define yyset_in settings_parser_set_in
+#endif
+
+#ifdef yyget_out
+#define settings_parser_get_out_ALREADY_DEFINED
+#else
+#define yyget_out settings_parser_get_out
+#endif
+
+#ifdef yyset_out
+#define settings_parser_set_out_ALREADY_DEFINED
+#else
+#define yyset_out settings_parser_set_out
+#endif
+
+#ifdef yyget_leng
+#define settings_parser_get_leng_ALREADY_DEFINED
+#else
+#define yyget_leng settings_parser_get_leng
+#endif
+
+#ifdef yyget_text
+#define settings_parser_get_text_ALREADY_DEFINED
+#else
+#define yyget_text settings_parser_get_text
+#endif
+
+#ifdef yyget_lineno
+#define settings_parser_get_lineno_ALREADY_DEFINED
+#else
+#define yyget_lineno settings_parser_get_lineno
+#endif
+
+#ifdef yyset_lineno
+#define settings_parser_set_lineno_ALREADY_DEFINED
+#else
+#define yyset_lineno settings_parser_set_lineno
+#endif
+
+#ifdef yyget_column
+#define settings_parser_get_column_ALREADY_DEFINED
+#else
+#define yyget_column settings_parser_get_column
+#endif
+
+#ifdef yyset_column
+#define settings_parser_set_column_ALREADY_DEFINED
+#else
+#define yyset_column settings_parser_set_column
+#endif
+
+#ifdef yywrap
+#define settings_parser_wrap_ALREADY_DEFINED
+#else
+#define yywrap settings_parser_wrap
+#endif
+
 /* %endif */
 
+#ifdef yyget_lval
+#define settings_parser_get_lval_ALREADY_DEFINED
+#else
+#define yyget_lval settings_parser_get_lval
+#endif
+
+#ifdef yyset_lval
+#define settings_parser_set_lval_ALREADY_DEFINED
+#else
+#define yyset_lval settings_parser_set_lval
+#endif
+
+#ifdef yyalloc
+#define settings_parser_alloc_ALREADY_DEFINED
+#else
+#define yyalloc settings_parser_alloc
+#endif
+
+#ifdef yyrealloc
+#define settings_parser_realloc_ALREADY_DEFINED
+#else
+#define yyrealloc settings_parser_realloc
+#endif
+
+#ifdef yyfree
+#define settings_parser_free_ALREADY_DEFINED
+#else
+#define yyfree settings_parser_free
+#endif
+
 /* %if-c-only */
 
 /* %endif */
@@ -108,50 +328,39 @@ typedef unsigned int flex_uint32_t;
 #define UINT32_MAX             (4294967295U)
 #endif
 
+#ifndef SIZE_MAX
+#define SIZE_MAX               (~(size_t)0)
+#endif
+
 #endif /* ! C99 */
 
 #endif /* ! FLEXINT_H */
 
 /* %endif */
 
+/* begin standard C++ headers. */
 /* %if-c++-only */
 /* %endif */
 
-#ifdef __cplusplus
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else	/* ! __cplusplus */
-
-/* C99 requires __STDC__ to be defined as 1. */
-#if defined (__STDC__)
-
-#define YY_USE_CONST
-
-#endif	/* defined (__STDC__) */
-#endif	/* ! __cplusplus */
-
-#ifdef YY_USE_CONST
+/* TODO: this is always defined, so inline it */
 #define yyconst const
+
+#if defined(__GNUC__) && __GNUC__ >= 3
+#define yynoreturn __attribute__((__noreturn__))
 #else
-#define yyconst
+#define yynoreturn
 #endif
 
 /* %not-for-header */
-
 /* Returned upon end-of-file. */
 #define YY_NULL 0
 /* %ok-for-header */
 
 /* %not-for-header */
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index.  If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
+/* Promotes a possibly negative, possibly signed char to an
+ *   integer in range [0..255] for use as an array index.
  */
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+#define YY_SC_TO_UI(c) ((YY_CHAR) (c))
 /* %ok-for-header */
 
 /* %if-reentrant */
@@ -183,20 +392,16 @@ typedef void* yyscan_t;
  * definition of BEGIN.
  */
 #define BEGIN yyg->yy_start = 1 + 2 *
-
 /* Translate the current start state into a value that can be later handed
  * to BEGIN to return to the state.  The YYSTATE alias is for lex
  * compatibility.
  */
 #define YY_START ((yyg->yy_start - 1) / 2)
 #define YYSTATE YY_START
-
 /* Action number for EOF rule of a given start state. */
 #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
 /* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE settings_parser_restart(yyin ,yyscanner )
-
+#define YY_NEW_FILE yyrestart( yyin , yyscanner )
 #define YY_END_OF_BUFFER_CHAR 0
 
 /* Size of default input buffer. */
@@ -237,10 +442,10 @@ typedef size_t yy_size_t;
 #define EOB_ACT_CONTINUE_SCAN 0
 #define EOB_ACT_END_OF_FILE 1
 #define EOB_ACT_LAST_MATCH 2
-
+    
     /* Note: We specifically omit the test for yy_rule_can_match_eol because it requires
      *       access to the local variable yy_act. Since yyless() is a macro, it would break
-     *       existing scanners that call yyless() from OUTSIDE settings_parser_lex. 
+     *       existing scanners that call yyless() from OUTSIDE yylex.
      *       One obvious solution it to make yy_act a global. I tried that, and saw
      *       a 5% performance hit in a non-yylineno scanner, because yy_act is
      *       normally declared as a register variable-- so it is not worth it.
@@ -273,7 +478,6 @@ typedef size_t yy_size_t;
 		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
 		} \
 	while ( 0 )
-
 #define unput(c) yyunput( c, yyg->yytext_ptr , yyscanner )
 
 #ifndef YY_STRUCT_YY_BUFFER_STATE
@@ -293,7 +497,7 @@ struct yy_buffer_state
 	/* Size of input buffer in bytes, not including room for EOB
 	 * characters.
 	 */
-	yy_size_t yy_buf_size;
+	int yy_buf_size;
 
 	/* Number of characters read into yy_ch_buf, not including EOB
 	 * characters.
@@ -321,7 +525,7 @@ struct yy_buffer_state
 
     int yy_bs_lineno; /**< The line count. */
     int yy_bs_column; /**< The column count. */
-    
+
 	/* Whether to try to fill the input buffer when we reach the
 	 * end of it.
 	 */
@@ -338,7 +542,7 @@ struct yy_buffer_state
 	 * possible backing-up.
 	 *
 	 * When we actually see the EOF, we change the status to "new"
-	 * (via settings_parser_restart()), so that the user can continue scanning by
+	 * (via yyrestart()), so that the user can continue scanning by
 	 * just pointing yyin at a new input file.
 	 */
 #define YY_BUFFER_EOF_PENDING 2
@@ -348,7 +552,6 @@ struct yy_buffer_state
 
 /* %if-c-only Standard (non-C++) definition */
 /* %not-for-header */
-
 /* %if-not-reentrant */
 /* %endif */
 /* %ok-for-header */
@@ -364,7 +567,6 @@ struct yy_buffer_state
 #define YY_CURRENT_BUFFER ( yyg->yy_buffer_stack \
                           ? yyg->yy_buffer_stack[yyg->yy_buffer_stack_top] \
                           : NULL)
-
 /* Same as previous macro, but useful when we know that the buffer stack is not
  * NULL or when we need an lvalue. For internal use only.
  */
@@ -374,57 +576,52 @@ struct yy_buffer_state
 
 /* %if-not-reentrant */
 /* %not-for-header */
-
 /* %ok-for-header */
 
 /* %endif */
 
-void settings_parser_restart (FILE *input_file ,yyscan_t yyscanner );
-void settings_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-YY_BUFFER_STATE settings_parser__create_buffer (FILE *file,int size ,yyscan_t yyscanner );
-void settings_parser__delete_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void settings_parser__flush_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-void settings_parser_pop_buffer_state (yyscan_t yyscanner );
-
-static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner );
-static void settings_parser__load_buffer_state (yyscan_t yyscanner );
-static void settings_parser__init_buffer (YY_BUFFER_STATE b,FILE *file ,yyscan_t yyscanner );
+void yyrestart ( FILE *input_file , yyscan_t yyscanner );
+void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size , yyscan_t yyscanner );
+void yy_delete_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yy_flush_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yypush_buffer_state ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+void yypop_buffer_state ( yyscan_t yyscanner );
 
-#define YY_FLUSH_BUFFER settings_parser__flush_buffer(YY_CURRENT_BUFFER ,yyscanner)
+static void yyensure_buffer_stack ( yyscan_t yyscanner );
+static void yy_load_buffer_state ( yyscan_t yyscanner );
+static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file , yyscan_t yyscanner );
+#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER , yyscanner)
 
-YY_BUFFER_STATE settings_parser__scan_buffer (char *base,yy_size_t size ,yyscan_t yyscanner );
-YY_BUFFER_STATE settings_parser__scan_string (yyconst char *yy_str ,yyscan_t yyscanner );
-YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char *bytes,yy_size_t len ,yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_string ( const char *yy_str , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len , yyscan_t yyscanner );
 
 /* %endif */
 
-void *settings_parser_alloc (yy_size_t ,yyscan_t yyscanner );
-void *settings_parser_realloc (void *,yy_size_t ,yyscan_t yyscanner );
-void settings_parser_free (void * ,yyscan_t yyscanner );
-
-#define yy_new_buffer settings_parser__create_buffer
+void *yyalloc ( yy_size_t , yyscan_t yyscanner );
+void *yyrealloc ( void *, yy_size_t , yyscan_t yyscanner );
+void yyfree ( void * , yyscan_t yyscanner );
 
+#define yy_new_buffer yy_create_buffer
 #define yy_set_interactive(is_interactive) \
 	{ \
 	if ( ! YY_CURRENT_BUFFER ){ \
-        settings_parser_ensure_buffer_stack (yyscanner); \
+        yyensure_buffer_stack (yyscanner); \
 		YY_CURRENT_BUFFER_LVALUE =    \
-            settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+            yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
 	} \
 	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
 	}
-
 #define yy_set_bol(at_bol) \
 	{ \
 	if ( ! YY_CURRENT_BUFFER ){\
-        settings_parser_ensure_buffer_stack (yyscanner); \
+        yyensure_buffer_stack (yyscanner); \
 		YY_CURRENT_BUFFER_LVALUE =    \
-            settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+            yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
 	} \
 	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
 	}
-
 #define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
 
 /* %% [1.0] yytext/yyin/yyout/yy_state_type/yylineno etc. def's & init go here */
@@ -434,8 +631,7 @@ void settings_parser_free (void * ,yyscan_t yyscanner );
 #define YY_SKIP_YYWRAP
 
 #define FLEX_DEBUG
-
-typedef unsigned char YY_CHAR;
+typedef flex_uint8_t YY_CHAR;
 
 typedef int yy_state_type;
 
@@ -445,13 +641,10 @@ typedef int yy_state_type;
 
 /* %if-c-only Standard (non-C++) definition */
 
-static yy_state_type yy_get_previous_state (yyscan_t yyscanner );
-static yy_state_type yy_try_NUL_trans (yy_state_type current_state  ,yyscan_t yyscanner);
-static int yy_get_next_buffer (yyscan_t yyscanner );
-#if defined(__GNUC__) && __GNUC__ >= 3
-__attribute__((__noreturn__))
-#endif
-static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
+static yy_state_type yy_get_previous_state ( yyscan_t yyscanner );
+static yy_state_type yy_try_NUL_trans ( yy_state_type current_state  , yyscan_t yyscanner);
+static int yy_get_next_buffer ( yyscan_t yyscanner );
+static void yynoreturn yy_fatal_error ( const char* msg , yyscan_t yyscanner );
 
 /* %endif */
 
@@ -461,12 +654,11 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
 #define YY_DO_BEFORE_ACTION \
 	yyg->yytext_ptr = yy_bp; \
 /* %% [2.0] code to fiddle yytext and yyleng for yymore() goes here \ */\
-	yyleng = (size_t) (yy_cp - yy_bp); \
+	yyleng = (int) (yy_cp - yy_bp); \
 	yyg->yy_hold_char = *yy_cp; \
 	*yy_cp = '\0'; \
 /* %% [3.0] code to copy yytext_ptr to yytext[] goes here, if %array \ */\
 	yyg->yy_c_buf_p = yy_cp;
-
 /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
 #define YY_NUM_RULES 39
 #define YY_END_OF_BUFFER 40
@@ -477,7 +669,7 @@ struct yy_trans_info
 	flex_int32_t yy_verify;
 	flex_int32_t yy_nxt;
 	};
-static yyconst flex_int16_t yy_accept[85] =
+static const flex_int16_t yy_accept[85] =
     {   0,
         0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
        40,   12,    2,    3,    2,   11,    1,    7,    6,    8,
@@ -490,7 +682,7 @@ static yyconst flex_int16_t yy_accept[85] =
         0,   10,   10,    0
     } ;
 
-static yyconst YY_CHAR yy_ec[256] =
+static const YY_CHAR yy_ec[256] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
         1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
@@ -522,14 +714,14 @@ static yyconst YY_CHAR yy_ec[256] =
         1,    1,    1,    1,    1
     } ;
 
-static yyconst YY_CHAR yy_meta[24] =
+static const YY_CHAR yy_meta[24] =
     {   0,
         1,    2,    3,    4,    5,    6,    5,    7,    8,    7,
         9,   10,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    7,    5
     } ;
 
-static yyconst flex_uint16_t yy_base[103] =
+static const flex_int16_t yy_base[103] =
     {   0,
         0,    0,   23,    0,   45,   67,   89,  111,   49,   50,
       124,    0,  133,  335,   55,  335,   60,  335,  335,  335,
@@ -545,7 +737,7 @@ static yyconst flex_uint16_t yy_base[103] =
       314,  324
     } ;
 
-static yyconst flex_int16_t yy_def[103] =
+static const flex_int16_t yy_def[103] =
     {   0,
        84,    1,   84,    3,   85,   85,   86,   86,   87,   87,
        84,   88,   84,   84,   84,   84,   89,   84,   84,   84,
@@ -561,7 +753,7 @@ static yyconst flex_int16_t yy_def[103] =
        84,   84
     } ;
 
-static yyconst flex_uint16_t yy_nxt[359] =
+static const flex_int16_t yy_nxt[359] =
     {   0,
        12,   13,   14,   15,   13,   16,   17,   18,   19,   20,
        21,   12,   12,   12,   12,   22,   12,   12,   12,   12,
@@ -604,7 +796,7 @@ static yyconst flex_uint16_t yy_nxt[359] =
        84,   84,   84,   84,   84,   84,   84,   84
     } ;
 
-static yyconst flex_int16_t yy_chk[359] =
+static const flex_int16_t yy_chk[359] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -648,18 +840,18 @@ static yyconst flex_int16_t yy_chk[359] =
     } ;
 
 /* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[40] =
+static const flex_int32_t yy_rule_can_match_eol[40] =
     {   0,
 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 
     0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 
         };
 
-static yyconst flex_int16_t yy_rule_linenum[39] =
+static const flex_int16_t yy_rule_linenum[39] =
     {   0,
-       66,   67,   68,   70,   71,   73,   74,   76,   81,   86,
-       91,   96,  102,  103,  104,  106,  108,  113,  120,  121,
-      123,  144,  150,  157,  160,  180,  183,  186,  189,  195,
-      196,  198,  218,  219,  220,  221,  222,  223
+       71,   72,   73,   75,   76,   78,   79,   81,   86,   91,
+       96,  101,  107,  108,  109,  111,  113,  118,  125,  126,
+      128,  149,  155,  162,  165,  185,  188,  191,  194,  200,
+      201,  203,  223,  224,  225,  226,  227,  228
     } ;
 
 /* The intent behind this definition is that it'll catch
@@ -694,9 +886,13 @@ bool settings_parser_open_next_file(parser_helper_t *ctx);
 
 static void include_files(parser_helper_t *ctx);
 
+#line 890 "settings/settings_lexer.c"
 /* use start conditions stack */
 /* do not declare unneeded functions */
 #define YY_NO_INPUT 1
+/* do not include unistd.h as it might conflict with our scanner states */
+#define YY_NO_UNISTD_H 1
+/* due to that disable interactive mode, which requires isatty() */
 /* don't use global variables, and interact properly with bison */
 /* maintain the line number */
 /* don't generate a default rule */
@@ -712,7 +908,7 @@ static void include_files(parser_helper_t *ctx);
 /* state used to scan quoted strings */
 
 /* pattern for section/key names */
-#line 716 "settings/settings_lexer.c"
+#line 912 "settings/settings_lexer.c"
 
 #define INITIAL 0
 #define ref 1
@@ -751,7 +947,7 @@ struct yyguts_t
     YY_BUFFER_STATE * yy_buffer_stack; /**< Stack as an array. */
     char yy_hold_char;
     int yy_n_chars;
-    yy_size_t yyleng_r;
+    int yyleng_r;
     char *yy_c_buf_p;
     int yy_init;
     int yy_start;
@@ -775,7 +971,7 @@ struct yyguts_t
 
 /* %if-c-only */
 
-static int yy_init_globals (yyscan_t yyscanner );
+static int yy_init_globals ( yyscan_t yyscanner );
 
 /* %endif */
 
@@ -785,9 +981,9 @@ static int yy_init_globals (yyscan_t yyscanner );
      * from bison output in section 1.*/
     #    define yylval yyg->yylval_r
     
-int settings_parser_lex_init (yyscan_t* scanner);
+int yylex_init (yyscan_t* scanner);
 
-int settings_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner);
+int yylex_init_extra ( YY_EXTRA_TYPE user_defined, yyscan_t* scanner);
 
 /* %endif */
 
@@ -796,41 +992,41 @@ int settings_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner
 /* Accessor methods to globals.
    These are made visible to non-reentrant scanners for convenience. */
 
-int settings_parser_lex_destroy (yyscan_t yyscanner );
+int yylex_destroy ( yyscan_t yyscanner );
 
-int settings_parser_get_debug (yyscan_t yyscanner );
+int yyget_debug ( yyscan_t yyscanner );
 
-void settings_parser_set_debug (int debug_flag ,yyscan_t yyscanner );
+void yyset_debug ( int debug_flag , yyscan_t yyscanner );
 
-YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner );
+YY_EXTRA_TYPE yyget_extra ( yyscan_t yyscanner );
 
-void settings_parser_set_extra (YY_EXTRA_TYPE user_defined ,yyscan_t yyscanner );
+void yyset_extra ( YY_EXTRA_TYPE user_defined , yyscan_t yyscanner );
 
-FILE *settings_parser_get_in (yyscan_t yyscanner );
+FILE *yyget_in ( yyscan_t yyscanner );
 
-void settings_parser_set_in  (FILE * _in_str ,yyscan_t yyscanner );
+void yyset_in  ( FILE * _in_str , yyscan_t yyscanner );
 
-FILE *settings_parser_get_out (yyscan_t yyscanner );
+FILE *yyget_out ( yyscan_t yyscanner );
 
-void settings_parser_set_out  (FILE * _out_str ,yyscan_t yyscanner );
+void yyset_out  ( FILE * _out_str , yyscan_t yyscanner );
 
-yy_size_t settings_parser_get_leng (yyscan_t yyscanner );
+			int yyget_leng ( yyscan_t yyscanner );
 
-char *settings_parser_get_text (yyscan_t yyscanner );
+char *yyget_text ( yyscan_t yyscanner );
 
-int settings_parser_get_lineno (yyscan_t yyscanner );
+int yyget_lineno ( yyscan_t yyscanner );
 
-void settings_parser_set_lineno (int _line_number ,yyscan_t yyscanner );
+void yyset_lineno ( int _line_number , yyscan_t yyscanner );
 
-int settings_parser_get_column  (yyscan_t yyscanner );
+int yyget_column  ( yyscan_t yyscanner );
 
-void settings_parser_set_column (int _column_no ,yyscan_t yyscanner );
+void yyset_column ( int _column_no , yyscan_t yyscanner );
 
 /* %if-bison-bridge */
 
-YYSTYPE * settings_parser_get_lval (yyscan_t yyscanner );
+YYSTYPE * yyget_lval ( yyscan_t yyscanner );
 
-void settings_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
+void yyset_lval ( YYSTYPE * yylval_param , yyscan_t yyscanner );
 
 /* %endif */
 
@@ -840,17 +1036,16 @@ void settings_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
 
 #ifndef YY_SKIP_YYWRAP
 #ifdef __cplusplus
-extern "C" int settings_parser_wrap (yyscan_t yyscanner );
+extern "C" int yywrap ( yyscan_t yyscanner );
 #else
-extern int settings_parser_wrap (yyscan_t yyscanner );
+extern int yywrap ( yyscan_t yyscanner );
 #endif
 #endif
 
 /* %not-for-header */
-
 #ifndef YY_NO_UNPUT
     
-    static void yyunput (int c,char *buf_ptr  ,yyscan_t yyscanner);
+    static void yyunput ( int c, char *buf_ptr  , yyscan_t yyscanner);
     
 #endif
 /* %ok-for-header */
@@ -858,21 +1053,20 @@ extern int settings_parser_wrap (yyscan_t yyscanner );
 /* %endif */
 
 #ifndef yytext_ptr
-static void yy_flex_strncpy (char *,yyconst char *,int ,yyscan_t yyscanner);
+static void yy_flex_strncpy ( char *, const char *, int , yyscan_t yyscanner);
 #endif
 
 #ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * ,yyscan_t yyscanner);
+static int yy_flex_strlen ( const char * , yyscan_t yyscanner);
 #endif
 
 #ifndef YY_NO_INPUT
 /* %if-c-only Standard (non-C++) definition */
 /* %not-for-header */
-
 #ifdef __cplusplus
-static int yyinput (yyscan_t yyscanner );
+static int yyinput ( yyscan_t yyscanner );
 #else
-static int input (yyscan_t yyscanner );
+static int input ( yyscan_t yyscanner );
 #endif
 /* %ok-for-header */
 
@@ -881,11 +1075,11 @@ static int input (yyscan_t yyscanner );
 
 /* %if-c-only */
 
-    static void yy_push_state (int _new_state ,yyscan_t yyscanner);
+    static void yy_push_state ( int _new_state , yyscan_t yyscanner);
     
-    static void yy_pop_state (yyscan_t yyscanner );
+    static void yy_pop_state ( yyscan_t yyscanner );
     
-    static int yy_top_state (yyscan_t yyscanner );
+    static int yy_top_state ( yyscan_t yyscanner );
     
 /* %endif */
 
@@ -905,7 +1099,7 @@ static int input (yyscan_t yyscanner );
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
+#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0)
 /* %endif */
 /* %if-c++-only C++ definition */
 /* %endif */
@@ -920,7 +1114,7 @@ static int input (yyscan_t yyscanner );
 	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
 		{ \
 		int c = '*'; \
-		size_t n; \
+		int n; \
 		for ( n = 0; n < max_size && \
 			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
 			buf[n] = (char) c; \
@@ -933,7 +1127,7 @@ static int input (yyscan_t yyscanner );
 	else \
 		{ \
 		errno=0; \
-		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+		while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \
 			{ \
 			if( errno != EINTR) \
 				{ \
@@ -974,11 +1168,9 @@ static int input (yyscan_t yyscanner );
 
 /* %if-tables-serialization structures and prototypes */
 /* %not-for-header */
-
 /* %ok-for-header */
 
 /* %not-for-header */
-
 /* %tables-yydmap generated elements */
 /* %endif */
 /* end tables serialization structures and prototypes */
@@ -992,10 +1184,10 @@ static int input (yyscan_t yyscanner );
 #define YY_DECL_IS_OURS 1
 /* %if-c-only Standard (non-C++) definition */
 
-extern int settings_parser_lex \
-               (YYSTYPE * yylval_param ,yyscan_t yyscanner);
+extern int yylex \
+               (YYSTYPE * yylval_param , yyscan_t yyscanner);
 
-#define YY_DECL int settings_parser_lex \
+#define YY_DECL int yylex \
                (YYSTYPE * yylval_param , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only C++ definition */
@@ -1019,7 +1211,6 @@ extern int settings_parser_lex \
 	YY_USER_ACTION
 
 /* %not-for-header */
-
 /** The main scanner function which does all the work.
  */
 YY_DECL
@@ -1057,20 +1248,20 @@ YY_DECL
 /* %endif */
 
 		if ( ! YY_CURRENT_BUFFER ) {
-			settings_parser_ensure_buffer_stack (yyscanner);
+			yyensure_buffer_stack (yyscanner);
 			YY_CURRENT_BUFFER_LVALUE =
-				settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+				yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
 		}
 
-		settings_parser__load_buffer_state(yyscanner );
+		yy_load_buffer_state( yyscanner );
 		}
 
 	{
 /* %% [7.0] user's declarations go here */
-#line 64 "settings/settings_lexer.l"
+#line 69 "settings/settings_lexer.l"
 
 
-#line 1074 "settings/settings_lexer.c"
+#line 1265 "settings/settings_lexer.c"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -1100,22 +1291,18 @@ yy_match:
 				{
 				yy_current_state = (int) yy_def[yy_current_state];
 				if ( yy_current_state >= 85 )
-					yy_c = yy_meta[(unsigned int) yy_c];
+					yy_c = yy_meta[yy_c];
 				}
-			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 			++yy_cp;
 			}
-		while ( yy_base[yy_current_state] != 335 );
+		while ( yy_current_state != 84 );
+		yy_cp = yyg->yy_last_accepting_cpos;
+		yy_current_state = yyg->yy_last_accepting_state;
 
 yy_find_action:
 /* %% [10.0] code to find the action number goes here */
 		yy_act = yy_accept[yy_current_state];
-		if ( yy_act == 0 )
-			{ /* have to back up */
-			yy_cp = yyg->yy_last_accepting_cpos;
-			yy_current_state = yyg->yy_last_accepting_state;
-			yy_act = yy_accept[yy_current_state];
-			}
 
 		YY_DO_BEFORE_ACTION;
 
@@ -1123,10 +1310,10 @@ yy_find_action:
 
 		if ( yy_act != YY_END_OF_BUFFER && yy_rule_can_match_eol[yy_act] )
 			{
-			yy_size_t yyl;
+			int yyl;
 			for ( yyl = 0; yyl < yyleng; ++yyl )
 				if ( yytext[yyl] == '\n' )
-					   
+					
     do{ yylineno++;
         yycolumn=0;
     }while(0)
@@ -1164,40 +1351,40 @@ do_action:	/* This label is used only to access EOF actions. */
 
 case 1:
 YY_RULE_SETUP
-#line 66 "settings/settings_lexer.l"
+#line 71 "settings/settings_lexer.l"
 /* eat comments */
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 67 "settings/settings_lexer.l"
+#line 72 "settings/settings_lexer.l"
 /* eat whitespace */
 	YY_BREAK
 case 3:
 /* rule 3 can match eol */
 YY_RULE_SETUP
-#line 68 "settings/settings_lexer.l"
+#line 73 "settings/settings_lexer.l"
 /* eat newlines and comments at the end of a line */
 	YY_BREAK
 case 4:
-#line 71 "settings/settings_lexer.l"
+#line 76 "settings/settings_lexer.l"
 case 5:
 YY_RULE_SETUP
-#line 71 "settings/settings_lexer.l"
+#line 76 "settings/settings_lexer.l"
 return yytext[0];
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 73 "settings/settings_lexer.l"
+#line 78 "settings/settings_lexer.l"
 return DOT;
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 74 "settings/settings_lexer.l"
+#line 79 "settings/settings_lexer.l"
 return COMMA;
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 76 "settings/settings_lexer.l"
+#line 81 "settings/settings_lexer.l"
 {
 	yy_push_state(ref, yyscanner);
 	return COLON;
@@ -1205,7 +1392,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 81 "settings/settings_lexer.l"
+#line 86 "settings/settings_lexer.l"
 {
 	yy_push_state(val, yyscanner);
 	return yytext[0];
@@ -1218,7 +1405,7 @@ YY_LINENO_REWIND_TO(yy_cp - 1);
 yyg->yy_c_buf_p = yy_cp -= 1;
 YY_DO_BEFORE_ACTION; /* set up yytext again */
 YY_RULE_SETUP
-#line 86 "settings/settings_lexer.l"
+#line 91 "settings/settings_lexer.l"
 {
 	yyextra->string_init(yyextra);
 	yy_push_state(inc, yyscanner);
@@ -1226,7 +1413,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 91 "settings/settings_lexer.l"
+#line 96 "settings/settings_lexer.l"
 {
 	PARSER_DBG1(yyextra, "unexpected string detected");
 	return STRING_ERROR;
@@ -1234,7 +1421,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 96 "settings/settings_lexer.l"
+#line 101 "settings/settings_lexer.l"
 {
 	yylval->s = strdup(yytext);
 	return NAME;
@@ -1243,28 +1430,28 @@ YY_RULE_SETUP
 
 case 13:
 YY_RULE_SETUP
-#line 102 "settings/settings_lexer.l"
+#line 107 "settings/settings_lexer.l"
 /* eat comments */
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 103 "settings/settings_lexer.l"
+#line 108 "settings/settings_lexer.l"
 /* eat whitespace */
 	YY_BREAK
 case 15:
 /* rule 15 can match eol */
 YY_RULE_SETUP
-#line 104 "settings/settings_lexer.l"
+#line 109 "settings/settings_lexer.l"
 /* eat newlines and comments at the end of a line */
 	YY_BREAK
 case 16:
 YY_RULE_SETUP
-#line 106 "settings/settings_lexer.l"
+#line 111 "settings/settings_lexer.l"
 return COMMA;
 	YY_BREAK
 case 17:
 YY_RULE_SETUP
-#line 108 "settings/settings_lexer.l"
+#line 113 "settings/settings_lexer.l"
 {
 		yylval->s = strdup(yytext);
 		return NAME;
@@ -1272,7 +1459,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 18:
 YY_RULE_SETUP
-#line 113 "settings/settings_lexer.l"
+#line 118 "settings/settings_lexer.l"
 {
 		unput(yytext[0]);
 		yy_pop_state(yyscanner);
@@ -1282,20 +1469,20 @@ YY_RULE_SETUP
 
 case 19:
 YY_RULE_SETUP
-#line 120 "settings/settings_lexer.l"
+#line 125 "settings/settings_lexer.l"
 /* just ignore these */
 	YY_BREAK
 case 20:
 YY_RULE_SETUP
-#line 121 "settings/settings_lexer.l"
+#line 126 "settings/settings_lexer.l"
 
 	YY_BREAK
 case YY_STATE_EOF(val):
-#line 122 "settings/settings_lexer.l"
+#line 127 "settings/settings_lexer.l"
 case 21:
 /* rule 21 can match eol */
 YY_RULE_SETUP
-#line 123 "settings/settings_lexer.l"
+#line 128 "settings/settings_lexer.l"
 {
 		if (*yytext)
 		{
@@ -1319,7 +1506,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 22:
 YY_RULE_SETUP
-#line 144 "settings/settings_lexer.l"
+#line 149 "settings/settings_lexer.l"
 {
 		yyextra->string_init(yyextra);
 		yy_push_state(str, yyscanner);
@@ -1328,7 +1515,7 @@ YY_RULE_SETUP
 /* same as above, but allow more characters */
 case 23:
 YY_RULE_SETUP
-#line 150 "settings/settings_lexer.l"
+#line 155 "settings/settings_lexer.l"
 {
 		yylval->s = strdup(yytext);
 		return NAME;
@@ -1338,16 +1525,16 @@ YY_RULE_SETUP
 
 case 24:
 YY_RULE_SETUP
-#line 157 "settings/settings_lexer.l"
+#line 162 "settings/settings_lexer.l"
 /* just ignore these */
 	YY_BREAK
 /* we allow all characters except #, } and spaces, they can be escaped */
 case YY_STATE_EOF(inc):
-#line 159 "settings/settings_lexer.l"
+#line 164 "settings/settings_lexer.l"
 case 25:
 /* rule 25 can match eol */
 YY_RULE_SETUP
-#line 160 "settings/settings_lexer.l"
+#line 165 "settings/settings_lexer.l"
 {
 		if (*yytext)
 		{
@@ -1371,28 +1558,28 @@ YY_RULE_SETUP
 	YY_BREAK
 case 26:
 YY_RULE_SETUP
-#line 180 "settings/settings_lexer.l"
+#line 185 "settings/settings_lexer.l"
 {	/* string include */
 		yy_push_state(str, yyscanner);
 	}
 	YY_BREAK
 case 27:
 YY_RULE_SETUP
-#line 183 "settings/settings_lexer.l"
+#line 188 "settings/settings_lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
 	YY_BREAK
 case 28:
 YY_RULE_SETUP
-#line 186 "settings/settings_lexer.l"
+#line 191 "settings/settings_lexer.l"
 {
 		yyextra->string_add(yyextra, yytext+1);
 	}
 	YY_BREAK
 case 29:
 YY_RULE_SETUP
-#line 189 "settings/settings_lexer.l"
+#line 194 "settings/settings_lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
@@ -1401,17 +1588,17 @@ YY_RULE_SETUP
 
 case 30:
 YY_RULE_SETUP
-#line 195 "settings/settings_lexer.l"
+#line 200 "settings/settings_lexer.l"
 /* just ignore these */
 	YY_BREAK
 case 31:
-#line 197 "settings/settings_lexer.l"
+#line 202 "settings/settings_lexer.l"
 YY_RULE_SETUP
 case YY_STATE_EOF(str):
-#line 197 "settings/settings_lexer.l"
+#line 202 "settings/settings_lexer.l"
 case 32:
 YY_RULE_SETUP
-#line 198 "settings/settings_lexer.l"
+#line 203 "settings/settings_lexer.l"
 {
 		if (!streq(yytext, "\""))
 		{
@@ -1434,34 +1621,34 @@ YY_RULE_SETUP
 	YY_BREAK
 case 33:
 YY_RULE_SETUP
-#line 218 "settings/settings_lexer.l"
+#line 223 "settings/settings_lexer.l"
 yyextra->string_add(yyextra, "\n");
 	YY_BREAK
 case 34:
 YY_RULE_SETUP
-#line 219 "settings/settings_lexer.l"
+#line 224 "settings/settings_lexer.l"
 yyextra->string_add(yyextra, "\r");
 	YY_BREAK
 case 35:
 YY_RULE_SETUP
-#line 220 "settings/settings_lexer.l"
+#line 225 "settings/settings_lexer.l"
 yyextra->string_add(yyextra, "\t");
 	YY_BREAK
 case 36:
 /* rule 36 can match eol */
 YY_RULE_SETUP
-#line 221 "settings/settings_lexer.l"
+#line 226 "settings/settings_lexer.l"
 /* merge lines that end with escaped EOL characters */
 	YY_BREAK
 case 37:
 YY_RULE_SETUP
-#line 222 "settings/settings_lexer.l"
+#line 227 "settings/settings_lexer.l"
 yyextra->string_add(yyextra, yytext+1);
 	YY_BREAK
 case 38:
 /* rule 38 can match eol */
 YY_RULE_SETUP
-#line 223 "settings/settings_lexer.l"
+#line 228 "settings/settings_lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
@@ -1469,7 +1656,7 @@ YY_RULE_SETUP
 
 case YY_STATE_EOF(INITIAL):
 case YY_STATE_EOF(ref):
-#line 228 "settings/settings_lexer.l"
+#line 233 "settings/settings_lexer.l"
 {
 	settings_parser_pop_buffer_state(yyscanner);
 	if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1480,10 +1667,10 @@ case YY_STATE_EOF(ref):
 	YY_BREAK
 case 39:
 YY_RULE_SETUP
-#line 236 "settings/settings_lexer.l"
+#line 241 "settings/settings_lexer.l"
 YY_FATAL_ERROR( "flex scanner jammed" );
 	YY_BREAK
-#line 1487 "settings/settings_lexer.c"
+#line 1674 "settings/settings_lexer.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1499,7 +1686,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 			/* We're scanning a new file or input source.  It's
 			 * possible that this happened because the user
 			 * just pointed yyin at a new source and called
-			 * settings_parser_lex().  If so, then we have to assure
+			 * yylex().  If so, then we have to assure
 			 * consistency between YY_CURRENT_BUFFER and our
 			 * globals.  Here is the right place to do so, because
 			 * this is the first action (other than possibly a
@@ -1553,7 +1740,8 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 			else
 				{
 /* %% [14.0] code to do back-up for compressed tables and set up yy_cp goes here */
-				yy_cp = yyg->yy_c_buf_p;
+				yy_cp = yyg->yy_last_accepting_cpos;
+				yy_current_state = yyg->yy_last_accepting_state;
 				goto yy_find_action;
 				}
 			}
@@ -1564,7 +1752,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 				{
 				yyg->yy_did_buffer_switch_on_eof = 0;
 
-				if ( settings_parser_wrap(yyscanner ) )
+				if ( yywrap( yyscanner ) )
 					{
 					/* Note: because we've taken care in
 					 * yy_get_next_buffer() to have set up
@@ -1618,12 +1806,11 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 	} /* end of action switch */
 		} /* end of scanning one token */
 	} /* end of user's declarations */
-} /* end of settings_parser_lex */
+} /* end of yylex */
 /* %ok-for-header */
 
 /* %if-c++-only */
 /* %not-for-header */
-
 /* %ok-for-header */
 
 /* %endif */
@@ -1644,7 +1831,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
 	char *source = yyg->yytext_ptr;
-	yy_size_t number_to_move, i;
+	int number_to_move, i;
 	int ret_val;
 
 	if ( yyg->yy_c_buf_p > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[yyg->yy_n_chars + 1] )
@@ -1673,7 +1860,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	/* Try to read more data. */
 
 	/* First move last chars to start of buffer. */
-	number_to_move = (yy_size_t) (yyg->yy_c_buf_p - yyg->yytext_ptr) - 1;
+	number_to_move = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr - 1);
 
 	for ( i = 0; i < number_to_move; ++i )
 		*(dest++) = *(source++);
@@ -1686,7 +1873,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 	else
 		{
-			yy_size_t num_to_read =
+			int num_to_read =
 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
 
 		while ( num_to_read <= 0 )
@@ -1700,7 +1887,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 			if ( b->yy_is_our_buffer )
 				{
-				yy_size_t new_size = b->yy_buf_size * 2;
+				int new_size = b->yy_buf_size * 2;
 
 				if ( new_size <= 0 )
 					b->yy_buf_size += b->yy_buf_size / 8;
@@ -1709,11 +1896,12 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 				b->yy_ch_buf = (char *)
 					/* Include room in for 2 EOB chars. */
-					settings_parser_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ,yyscanner );
+					yyrealloc( (void *) b->yy_ch_buf,
+							 (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
 				}
 			else
 				/* Can't grow it, we don't own it. */
-				b->yy_ch_buf = 0;
+				b->yy_ch_buf = NULL;
 
 			if ( ! b->yy_ch_buf )
 				YY_FATAL_ERROR(
@@ -1741,7 +1929,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		if ( number_to_move == YY_MORE_ADJ )
 			{
 			ret_val = EOB_ACT_END_OF_FILE;
-			settings_parser_restart(yyin  ,yyscanner);
+			yyrestart( yyin  , yyscanner);
 			}
 
 		else
@@ -1755,12 +1943,15 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	else
 		ret_val = EOB_ACT_CONTINUE_SCAN;
 
-	if ((int) (yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
+	if ((yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
 		/* Extend the array by 50%, plus the number we really need. */
 		int new_size = yyg->yy_n_chars + number_to_move + (yyg->yy_n_chars >> 1);
-		YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) settings_parser_realloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ,yyscanner );
+		YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc(
+			(void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size , yyscanner );
 		if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
 			YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
+		/* "- 2" to take care of EOB's */
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2);
 	}
 
 	yyg->yy_n_chars += number_to_move;
@@ -1776,7 +1967,6 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 /* %if-c-only */
 /* %not-for-header */
-
     static yy_state_type yy_get_previous_state (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
@@ -1802,9 +1992,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 			{
 			yy_current_state = (int) yy_def[yy_current_state];
 			if ( yy_current_state >= 85 )
-				yy_c = yy_meta[(unsigned int) yy_c];
+				yy_c = yy_meta[yy_c];
 			}
-		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 		}
 
 	return yy_current_state;
@@ -1836,9 +2026,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		{
 		yy_current_state = (int) yy_def[yy_current_state];
 		if ( yy_current_state >= 85 )
-			yy_c = yy_meta[(unsigned int) yy_c];
+			yy_c = yy_meta[yy_c];
 		}
-	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 	yy_is_jam = (yy_current_state == 84);
 
 	(void)yyg;
@@ -1864,7 +2054,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
 		{ /* need to shift things up to make room */
 		/* +2 for EOB chars. */
-		yy_size_t number_to_move = yyg->yy_n_chars + 2;
+		int number_to_move = yyg->yy_n_chars + 2;
 		char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
 					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
 		char *source =
@@ -1876,7 +2066,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		yy_cp += (int) (dest - source);
 		yy_bp += (int) (dest - source);
 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
-			yyg->yy_n_chars = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+			yyg->yy_n_chars = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
 
 		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
 			YY_FATAL_ERROR( "flex scanner push-back overflow" );
@@ -1928,7 +2118,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 		else
 			{ /* need more input */
-			yy_size_t offset = yyg->yy_c_buf_p - yyg->yytext_ptr;
+			int offset = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr);
 			++yyg->yy_c_buf_p;
 
 			switch ( yy_get_next_buffer( yyscanner ) )
@@ -1945,14 +2135,14 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 					 */
 
 					/* Reset buffer status. */
-					settings_parser_restart(yyin ,yyscanner);
+					yyrestart( yyin , yyscanner);
 
 					/*FALLTHROUGH*/
 
 				case EOB_ACT_END_OF_FILE:
 					{
-					if ( settings_parser_wrap(yyscanner ) )
-						return EOF;
+					if ( yywrap( yyscanner ) )
+						return 0;
 
 					if ( ! yyg->yy_did_buffer_switch_on_eof )
 						YY_NEW_FILE;
@@ -1976,7 +2166,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 /* %% [19.0] update BOL and yylineno */
 	if ( c == '\n' )
-		   
+		
     do{ yylineno++;
         yycolumn=0;
     }while(0)
@@ -1994,7 +2184,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
  * @note This function does not reset the start condition to @c INITIAL .
  */
 /* %if-c-only */
-    void settings_parser_restart  (FILE * input_file , yyscan_t yyscanner)
+    void yyrestart  (FILE * input_file , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2002,13 +2192,13 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
 	if ( ! YY_CURRENT_BUFFER ){
-        settings_parser_ensure_buffer_stack (yyscanner);
+        yyensure_buffer_stack (yyscanner);
 		YY_CURRENT_BUFFER_LVALUE =
-            settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+            yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
 	}
 
-	settings_parser__init_buffer(YY_CURRENT_BUFFER,input_file ,yyscanner);
-	settings_parser__load_buffer_state(yyscanner );
+	yy_init_buffer( YY_CURRENT_BUFFER, input_file , yyscanner);
+	yy_load_buffer_state( yyscanner );
 }
 
 /* %if-c++-only */
@@ -2019,7 +2209,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
  * @param yyscanner The scanner object.
  */
 /* %if-c-only */
-    void settings_parser__switch_to_buffer  (YY_BUFFER_STATE  new_buffer , yyscan_t yyscanner)
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2028,10 +2218,10 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 	/* TODO. We should be able to replace this entire function body
 	 * with
-	 *		settings_parser_pop_buffer_state();
-	 *		settings_parser_push_buffer_state(new_buffer);
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
      */
-	settings_parser_ensure_buffer_stack (yyscanner);
+	yyensure_buffer_stack (yyscanner);
 	if ( YY_CURRENT_BUFFER == new_buffer )
 		return;
 
@@ -2044,18 +2234,18 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		}
 
 	YY_CURRENT_BUFFER_LVALUE = new_buffer;
-	settings_parser__load_buffer_state(yyscanner );
+	yy_load_buffer_state( yyscanner );
 
 	/* We don't actually know whether we did this switch during
-	 * EOF (settings_parser_wrap()) processing, but the only time this flag
-	 * is looked at is after settings_parser_wrap() is called, so it's safe
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
 	 * to go ahead and always set it.
 	 */
 	yyg->yy_did_buffer_switch_on_eof = 1;
 }
 
 /* %if-c-only */
-static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
+static void yy_load_buffer_state  (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2078,29 +2268,29 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
  * @return the allocated buffer state.
  */
 /* %if-c-only */
-    YY_BUFFER_STATE settings_parser__create_buffer  (FILE * file, int  size , yyscan_t yyscanner)
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
 {
 	YY_BUFFER_STATE b;
     
-	b = (YY_BUFFER_STATE) settings_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+	b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
 	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in settings_parser__create_buffer()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
 
-	b->yy_buf_size = (yy_size_t)size;
+	b->yy_buf_size = size;
 
 	/* yy_ch_buf has to be 2 characters longer than the size given because
 	 * we need to put in 2 end-of-buffer characters.
 	 */
-	b->yy_ch_buf = (char *) settings_parser_alloc(b->yy_buf_size + 2 ,yyscanner );
+	b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
 	if ( ! b->yy_ch_buf )
-		YY_FATAL_ERROR( "out of dynamic memory in settings_parser__create_buffer()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
 
 	b->yy_is_our_buffer = 1;
 
-	settings_parser__init_buffer(b,file ,yyscanner);
+	yy_init_buffer( b, file , yyscanner);
 
 	return b;
 }
@@ -2109,11 +2299,11 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
 /* %endif */
 
 /** Destroy the buffer.
- * @param b a buffer created with settings_parser__create_buffer()
+ * @param b a buffer created with yy_create_buffer()
  * @param yyscanner The scanner object.
  */
 /* %if-c-only */
-    void settings_parser__delete_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
+    void yy_delete_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2127,17 +2317,17 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
 		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
 
 	if ( b->yy_is_our_buffer )
-		settings_parser_free((void *) b->yy_ch_buf ,yyscanner );
+		yyfree( (void *) b->yy_ch_buf , yyscanner );
 
-	settings_parser_free((void *) b ,yyscanner );
+	yyfree( (void *) b , yyscanner );
 }
 
 /* Initializes or reinitializes a buffer.
  * This function is sometimes called more than once on the same buffer,
- * such as during a settings_parser_restart() or at EOF.
+ * such as during a yyrestart() or at EOF.
  */
 /* %if-c-only */
-    static void settings_parser__init_buffer  (YY_BUFFER_STATE  b, FILE * file , yyscan_t yyscanner)
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2146,7 +2336,7 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
 	int oerrno = errno;
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
-	settings_parser__flush_buffer(b ,yyscanner);
+	yy_flush_buffer( b , yyscanner);
 
 /* %if-c-only */
 	b->yy_input_file = file;
@@ -2155,8 +2345,8 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
 /* %endif */
 	b->yy_fill_buffer = 1;
 
-    /* If b is the current buffer, then settings_parser__init_buffer was _probably_
-     * called from settings_parser_restart() or through yy_get_next_buffer.
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
      * In that case, we don't want to reset the lineno or column.
      */
     if (b != YY_CURRENT_BUFFER){
@@ -2166,7 +2356,7 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
 
 /* %if-c-only */
 
-        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+        b->yy_is_interactive = 0;
     
 /* %endif */
 /* %if-c++-only */
@@ -2179,7 +2369,7 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
  * @param yyscanner The scanner object.
  */
 /* %if-c-only */
-    void settings_parser__flush_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
+    void yy_flush_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2203,7 +2393,7 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
 	b->yy_buffer_status = YY_BUFFER_NEW;
 
 	if ( b == YY_CURRENT_BUFFER )
-		settings_parser__load_buffer_state(yyscanner );
+		yy_load_buffer_state( yyscanner );
 }
 
 /* %if-c-or-c++ */
@@ -2214,7 +2404,7 @@ static void settings_parser__load_buffer_state  (yyscan_t yyscanner)
  *  @param yyscanner The scanner object.
  */
 /* %if-c-only */
-void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2223,9 +2413,9 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy
 	if (new_buffer == NULL)
 		return;
 
-	settings_parser_ensure_buffer_stack(yyscanner);
+	yyensure_buffer_stack(yyscanner);
 
-	/* This block is copied from settings_parser__switch_to_buffer. */
+	/* This block is copied from yy_switch_to_buffer. */
 	if ( YY_CURRENT_BUFFER )
 		{
 		/* Flush out information for old buffer. */
@@ -2239,8 +2429,8 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy
 		yyg->yy_buffer_stack_top++;
 	YY_CURRENT_BUFFER_LVALUE = new_buffer;
 
-	/* copied from settings_parser__switch_to_buffer. */
-	settings_parser__load_buffer_state(yyscanner );
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( yyscanner );
 	yyg->yy_did_buffer_switch_on_eof = 1;
 }
 /* %endif */
@@ -2251,7 +2441,7 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy
  *  @param yyscanner The scanner object.
  */
 /* %if-c-only */
-void settings_parser_pop_buffer_state (yyscan_t yyscanner)
+void yypop_buffer_state (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2260,13 +2450,13 @@ void settings_parser_pop_buffer_state (yyscan_t yyscanner)
 	if (!YY_CURRENT_BUFFER)
 		return;
 
-	settings_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner);
+	yy_delete_buffer(YY_CURRENT_BUFFER , yyscanner);
 	YY_CURRENT_BUFFER_LVALUE = NULL;
 	if (yyg->yy_buffer_stack_top > 0)
 		--yyg->yy_buffer_stack_top;
 
 	if (YY_CURRENT_BUFFER) {
-		settings_parser__load_buffer_state(yyscanner );
+		yy_load_buffer_state( yyscanner );
 		yyg->yy_did_buffer_switch_on_eof = 1;
 	}
 }
@@ -2277,7 +2467,7 @@ void settings_parser_pop_buffer_state (yyscan_t yyscanner)
  *  Guarantees space for at least one push.
  */
 /* %if-c-only */
-static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
+static void yyensure_buffer_stack (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2291,15 +2481,15 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
 		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
 		 * immediate realloc on the next call.
          */
-		num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
-		yyg->yy_buffer_stack = (struct yy_buffer_state**)settings_parser_alloc
+      num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
+		yyg->yy_buffer_stack = (struct yy_buffer_state**)yyalloc
 								(num_to_alloc * sizeof(struct yy_buffer_state*)
 								, yyscanner);
 		if ( ! yyg->yy_buffer_stack )
-			YY_FATAL_ERROR( "out of dynamic memory in settings_parser_ensure_buffer_stack()" );
-								  
+			YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
+
 		memset(yyg->yy_buffer_stack, 0, num_to_alloc * sizeof(struct yy_buffer_state*));
-				
+
 		yyg->yy_buffer_stack_max = num_to_alloc;
 		yyg->yy_buffer_stack_top = 0;
 		return;
@@ -2311,12 +2501,12 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
 		yy_size_t grow_size = 8 /* arbitrary grow size */;
 
 		num_to_alloc = yyg->yy_buffer_stack_max + grow_size;
-		yyg->yy_buffer_stack = (struct yy_buffer_state**)settings_parser_realloc
+		yyg->yy_buffer_stack = (struct yy_buffer_state**)yyrealloc
 								(yyg->yy_buffer_stack,
 								num_to_alloc * sizeof(struct yy_buffer_state*)
 								, yyscanner);
 		if ( ! yyg->yy_buffer_stack )
-			YY_FATAL_ERROR( "out of dynamic memory in settings_parser_ensure_buffer_stack()" );
+			YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
 
 		/* zero only the new slots.*/
 		memset(yyg->yy_buffer_stack + yyg->yy_buffer_stack_max, 0, grow_size * sizeof(struct yy_buffer_state*));
@@ -2330,9 +2520,9 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
  * @param base the character buffer
  * @param size the size in bytes of the character buffer
  * @param yyscanner The scanner object.
- * @return the newly allocated buffer state object. 
+ * @return the newly allocated buffer state object.
  */
-YY_BUFFER_STATE settings_parser__scan_buffer  (char * base, yy_size_t  size , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size , yyscan_t yyscanner)
 {
 	YY_BUFFER_STATE b;
     
@@ -2340,73 +2530,73 @@ YY_BUFFER_STATE settings_parser__scan_buffer  (char * base, yy_size_t  size , yy
 	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
 	     base[size-1] != YY_END_OF_BUFFER_CHAR )
 		/* They forgot to leave room for the EOB's. */
-		return 0;
+		return NULL;
 
-	b = (YY_BUFFER_STATE) settings_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+	b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
 	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in settings_parser__scan_buffer()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
 
-	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_size = (int) (size - 2);	/* "- 2" to take care of EOB's */
 	b->yy_buf_pos = b->yy_ch_buf = base;
 	b->yy_is_our_buffer = 0;
-	b->yy_input_file = 0;
+	b->yy_input_file = NULL;
 	b->yy_n_chars = b->yy_buf_size;
 	b->yy_is_interactive = 0;
 	b->yy_at_bol = 1;
 	b->yy_fill_buffer = 0;
 	b->yy_buffer_status = YY_BUFFER_NEW;
 
-	settings_parser__switch_to_buffer(b ,yyscanner );
+	yy_switch_to_buffer( b , yyscanner );
 
 	return b;
 }
 /* %endif */
 
 /* %if-c-only */
-/** Setup the input buffer state to scan a string. The next call to settings_parser_lex() will
+/** Setup the input buffer state to scan a string. The next call to yylex() will
  * scan from a @e copy of @a str.
  * @param yystr a NUL-terminated string to scan
  * @param yyscanner The scanner object.
  * @return the newly allocated buffer state object.
  * @note If you want to scan bytes that may contain NUL values, then use
- *       settings_parser__scan_bytes() instead.
+ *       yy_scan_bytes() instead.
  */
-YY_BUFFER_STATE settings_parser__scan_string (yyconst char * yystr , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_string (const char * yystr , yyscan_t yyscanner)
 {
     
-	return settings_parser__scan_bytes(yystr,strlen(yystr) ,yyscanner);
+	return yy_scan_bytes( yystr, (int) strlen(yystr) , yyscanner);
 }
 /* %endif */
 
 /* %if-c-only */
-/** Setup the input buffer state to scan the given bytes. The next call to settings_parser_lex() will
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
  * scan from a @e copy of @a bytes.
  * @param yybytes the byte buffer to scan
  * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
  * @param yyscanner The scanner object.
  * @return the newly allocated buffer state object.
  */
-YY_BUFFER_STATE settings_parser__scan_bytes  (yyconst char * yybytes, yy_size_t  _yybytes_len , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_bytes  (const char * yybytes, int  _yybytes_len , yyscan_t yyscanner)
 {
 	YY_BUFFER_STATE b;
 	char *buf;
 	yy_size_t n;
-	yy_size_t i;
+	int i;
     
 	/* Get memory for full buffer, including space for trailing EOB's. */
-	n = _yybytes_len + 2;
-	buf = (char *) settings_parser_alloc(n ,yyscanner );
+	n = (yy_size_t) (_yybytes_len + 2);
+	buf = (char *) yyalloc( n , yyscanner );
 	if ( ! buf )
-		YY_FATAL_ERROR( "out of dynamic memory in settings_parser__scan_bytes()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
 
 	for ( i = 0; i < _yybytes_len; ++i )
 		buf[i] = yybytes[i];
 
 	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
 
-	b = settings_parser__scan_buffer(buf,n ,yyscanner);
+	b = yy_scan_buffer( buf, n , yyscanner);
 	if ( ! b )
-		YY_FATAL_ERROR( "bad buffer in settings_parser__scan_bytes()" );
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
 
 	/* It's okay to grow etc. this buffer, and we should throw it
 	 * away when we're done.
@@ -2429,13 +2619,14 @@ YY_BUFFER_STATE settings_parser__scan_bytes  (yyconst char * yybytes, yy_size_t
 		yy_size_t new_size;
 
 		yyg->yy_start_stack_depth += YY_START_STACK_INCR;
-		new_size = yyg->yy_start_stack_depth * sizeof( int );
+		new_size = (yy_size_t) yyg->yy_start_stack_depth * sizeof( int );
 
 		if ( ! yyg->yy_start_stack )
-			yyg->yy_start_stack = (int *) settings_parser_alloc(new_size ,yyscanner );
+			yyg->yy_start_stack = (int *) yyalloc( new_size , yyscanner );
 
 		else
-			yyg->yy_start_stack = (int *) settings_parser_realloc((void *) yyg->yy_start_stack,new_size ,yyscanner );
+			yyg->yy_start_stack = (int *) yyrealloc(
+					(void *) yyg->yy_start_stack, new_size , yyscanner );
 
 		if ( ! yyg->yy_start_stack )
 			YY_FATAL_ERROR( "out of memory expanding start-condition stack" );
@@ -2474,11 +2665,11 @@ YY_BUFFER_STATE settings_parser__scan_bytes  (yyconst char * yybytes, yy_size_t
 #endif
 
 /* %if-c-only */
-static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
+static void yynoreturn yy_fatal_error (const char* msg , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
-	(void) fprintf( stderr, "%s\n", msg );
+	fprintf( stderr, "%s\n", msg );
 	exit( YY_EXIT_FAILURE );
 }
 /* %endif */
@@ -2510,7 +2701,7 @@ static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
 /** Get the user-defined data for this scanner.
  * @param yyscanner The scanner object.
  */
-YY_EXTRA_TYPE settings_parser_get_extra  (yyscan_t yyscanner)
+YY_EXTRA_TYPE yyget_extra  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyextra;
@@ -2521,10 +2712,10 @@ YY_EXTRA_TYPE settings_parser_get_extra  (yyscan_t yyscanner)
 /** Get the current line number.
  * @param yyscanner The scanner object.
  */
-int settings_parser_get_lineno  (yyscan_t yyscanner)
+int yyget_lineno  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-    
+
         if (! YY_CURRENT_BUFFER)
             return 0;
     
@@ -2534,10 +2725,10 @@ int settings_parser_get_lineno  (yyscan_t yyscanner)
 /** Get the current column number.
  * @param yyscanner The scanner object.
  */
-int settings_parser_get_column  (yyscan_t yyscanner)
+int yyget_column  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-    
+
         if (! YY_CURRENT_BUFFER)
             return 0;
     
@@ -2547,7 +2738,7 @@ int settings_parser_get_column  (yyscan_t yyscanner)
 /** Get the input stream.
  * @param yyscanner The scanner object.
  */
-FILE *settings_parser_get_in  (yyscan_t yyscanner)
+FILE *yyget_in  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyin;
@@ -2556,7 +2747,7 @@ FILE *settings_parser_get_in  (yyscan_t yyscanner)
 /** Get the output stream.
  * @param yyscanner The scanner object.
  */
-FILE *settings_parser_get_out  (yyscan_t yyscanner)
+FILE *yyget_out  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyout;
@@ -2565,7 +2756,7 @@ FILE *settings_parser_get_out  (yyscan_t yyscanner)
 /** Get the length of the current token.
  * @param yyscanner The scanner object.
  */
-yy_size_t settings_parser_get_leng  (yyscan_t yyscanner)
+int yyget_leng  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyleng;
@@ -2575,7 +2766,7 @@ yy_size_t settings_parser_get_leng  (yyscan_t yyscanner)
  * @param yyscanner The scanner object.
  */
 
-char *settings_parser_get_text  (yyscan_t yyscanner)
+char *yyget_text  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yytext;
@@ -2587,7 +2778,7 @@ char *settings_parser_get_text  (yyscan_t yyscanner)
  * @param user_defined The data to be associated with this scanner.
  * @param yyscanner The scanner object.
  */
-void settings_parser_set_extra (YY_EXTRA_TYPE  user_defined , yyscan_t yyscanner)
+void yyset_extra (YY_EXTRA_TYPE  user_defined , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yyextra = user_defined ;
@@ -2599,13 +2790,13 @@ void settings_parser_set_extra (YY_EXTRA_TYPE  user_defined , yyscan_t yyscanner
  * @param _line_number line number
  * @param yyscanner The scanner object.
  */
-void settings_parser_set_lineno (int  _line_number , yyscan_t yyscanner)
+void yyset_lineno (int  _line_number , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
         /* lineno is only valid if an input buffer exists. */
         if (! YY_CURRENT_BUFFER )
-           YY_FATAL_ERROR( "settings_parser_set_lineno called with no buffer" );
+           YY_FATAL_ERROR( "yyset_lineno called with no buffer" );
     
     yylineno = _line_number;
 }
@@ -2614,13 +2805,13 @@ void settings_parser_set_lineno (int  _line_number , yyscan_t yyscanner)
  * @param _column_no column number
  * @param yyscanner The scanner object.
  */
-void settings_parser_set_column (int  _column_no , yyscan_t yyscanner)
+void yyset_column (int  _column_no , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
         /* column is only valid if an input buffer exists. */
         if (! YY_CURRENT_BUFFER )
-           YY_FATAL_ERROR( "settings_parser_set_column called with no buffer" );
+           YY_FATAL_ERROR( "yyset_column called with no buffer" );
     
     yycolumn = _column_no;
 }
@@ -2629,27 +2820,27 @@ void settings_parser_set_column (int  _column_no , yyscan_t yyscanner)
  * input buffer.
  * @param _in_str A readable stream.
  * @param yyscanner The scanner object.
- * @see settings_parser__switch_to_buffer
+ * @see yy_switch_to_buffer
  */
-void settings_parser_set_in (FILE *  _in_str , yyscan_t yyscanner)
+void yyset_in (FILE *  _in_str , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yyin = _in_str ;
 }
 
-void settings_parser_set_out (FILE *  _out_str , yyscan_t yyscanner)
+void yyset_out (FILE *  _out_str , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yyout = _out_str ;
 }
 
-int settings_parser_get_debug  (yyscan_t yyscanner)
+int yyget_debug  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yy_flex_debug;
 }
 
-void settings_parser_set_debug (int  _bdebug , yyscan_t yyscanner)
+void yyset_debug (int  _bdebug , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yy_flex_debug = _bdebug ;
@@ -2662,13 +2853,13 @@ void settings_parser_set_debug (int  _bdebug , yyscan_t yyscanner)
 
 /* %if-bison-bridge */
 
-YYSTYPE * settings_parser_get_lval  (yyscan_t yyscanner)
+YYSTYPE * yyget_lval  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yylval;
 }
 
-void settings_parser_set_lval (YYSTYPE *  yylval_param , yyscan_t yyscanner)
+void yyset_lval (YYSTYPE *  yylval_param , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yylval = yylval_param;
@@ -2678,20 +2869,18 @@ void settings_parser_set_lval (YYSTYPE *  yylval_param , yyscan_t yyscanner)
 
 /* User-visible API */
 
-/* settings_parser_lex_init is special because it creates the scanner itself, so it is
+/* yylex_init is special because it creates the scanner itself, so it is
  * the ONLY reentrant function that doesn't take the scanner as the last argument.
  * That's why we explicitly handle the declaration, instead of using our macros.
  */
-
-int settings_parser_lex_init(yyscan_t* ptr_yy_globals)
-
+int yylex_init(yyscan_t* ptr_yy_globals)
 {
     if (ptr_yy_globals == NULL){
         errno = EINVAL;
         return 1;
     }
 
-    *ptr_yy_globals = (yyscan_t) settings_parser_alloc ( sizeof( struct yyguts_t ), NULL );
+    *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL );
 
     if (*ptr_yy_globals == NULL){
         errno = ENOMEM;
@@ -2704,39 +2893,37 @@ int settings_parser_lex_init(yyscan_t* ptr_yy_globals)
     return yy_init_globals ( *ptr_yy_globals );
 }
 
-/* settings_parser_lex_init_extra has the same functionality as settings_parser_lex_init, but follows the
+/* yylex_init_extra has the same functionality as yylex_init, but follows the
  * convention of taking the scanner as the last argument. Note however, that
  * this is a *pointer* to a scanner, as it will be allocated by this call (and
  * is the reason, too, why this function also must handle its own declaration).
- * The user defined value in the first argument will be available to settings_parser_alloc in
+ * The user defined value in the first argument will be available to yyalloc in
  * the yyextra field.
  */
-
-int settings_parser_lex_init_extra(YY_EXTRA_TYPE yy_user_defined,yyscan_t* ptr_yy_globals )
-
+int yylex_init_extra( YY_EXTRA_TYPE yy_user_defined, yyscan_t* ptr_yy_globals )
 {
     struct yyguts_t dummy_yyguts;
 
-    settings_parser_set_extra (yy_user_defined, &dummy_yyguts);
+    yyset_extra (yy_user_defined, &dummy_yyguts);
 
     if (ptr_yy_globals == NULL){
         errno = EINVAL;
         return 1;
     }
-	
-    *ptr_yy_globals = (yyscan_t) settings_parser_alloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
-	
+
+    *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
+
     if (*ptr_yy_globals == NULL){
         errno = ENOMEM;
         return 1;
     }
-    
+
     /* By setting to 0xAA, we expose bugs in
     yy_init_globals. Leave at 0x00 for releases. */
     memset(*ptr_yy_globals,0x00,sizeof(struct yyguts_t));
-    
-    settings_parser_set_extra (yy_user_defined, *ptr_yy_globals);
-    
+
+    yyset_extra (yy_user_defined, *ptr_yy_globals);
+
     return yy_init_globals ( *ptr_yy_globals );
 }
 
@@ -2747,13 +2934,13 @@ static int yy_init_globals (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     /* Initialization is the same as for the non-reentrant scanner.
-     * This function is called from settings_parser_lex_destroy(), so don't allocate here.
+     * This function is called from yylex_destroy(), so don't allocate here.
      */
 
-    yyg->yy_buffer_stack = 0;
+    yyg->yy_buffer_stack = NULL;
     yyg->yy_buffer_stack_top = 0;
     yyg->yy_buffer_stack_max = 0;
-    yyg->yy_c_buf_p = (char *) 0;
+    yyg->yy_c_buf_p = NULL;
     yyg->yy_init = 0;
     yyg->yy_start = 0;
 
@@ -2766,45 +2953,45 @@ static int yy_init_globals (yyscan_t yyscanner)
     yyin = stdin;
     yyout = stdout;
 #else
-    yyin = (FILE *) 0;
-    yyout = (FILE *) 0;
+    yyin = NULL;
+    yyout = NULL;
 #endif
 
     /* For future reference: Set errno on error, since we are called by
-     * settings_parser_lex_init()
+     * yylex_init()
      */
     return 0;
 }
 /* %endif */
 
 /* %if-c-only SNIP! this currently causes conflicts with the c++ scanner */
-/* settings_parser_lex_destroy is for both reentrant and non-reentrant scanners. */
-int settings_parser_lex_destroy  (yyscan_t yyscanner)
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
     /* Pop the buffer stack, destroying each element. */
 	while(YY_CURRENT_BUFFER){
-		settings_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner );
+		yy_delete_buffer( YY_CURRENT_BUFFER , yyscanner );
 		YY_CURRENT_BUFFER_LVALUE = NULL;
-		settings_parser_pop_buffer_state(yyscanner);
+		yypop_buffer_state(yyscanner);
 	}
 
 	/* Destroy the stack itself. */
-	settings_parser_free(yyg->yy_buffer_stack ,yyscanner);
+	yyfree(yyg->yy_buffer_stack , yyscanner);
 	yyg->yy_buffer_stack = NULL;
 
     /* Destroy the start condition stack. */
-        settings_parser_free(yyg->yy_start_stack ,yyscanner );
+        yyfree( yyg->yy_start_stack , yyscanner );
         yyg->yy_start_stack = NULL;
 
     /* Reset the globals. This is important in a non-reentrant scanner so the next time
-     * settings_parser_lex() is called, initialization will occur. */
+     * yylex() is called, initialization will occur. */
     yy_init_globals( yyscanner);
 
 /* %if-reentrant */
     /* Destroy the main struct (reentrant only). */
-    settings_parser_free ( yyscanner , yyscanner );
+    yyfree ( yyscanner , yyscanner );
     yyscanner = NULL;
 /* %endif */
     return 0;
@@ -2816,7 +3003,7 @@ int settings_parser_lex_destroy  (yyscan_t yyscanner)
  */
 
 #ifndef yytext_ptr
-static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yyscanner)
+static void yy_flex_strncpy (char* s1, const char * s2, int n , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
@@ -2828,7 +3015,7 @@ static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yysca
 #endif
 
 #ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
+static int yy_flex_strlen (const char * s , yyscan_t yyscanner)
 {
 	int n;
 	for ( n = 0; s[n]; ++n )
@@ -2838,14 +3025,14 @@ static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
 }
 #endif
 
-void *settings_parser_alloc (yy_size_t  size , yyscan_t yyscanner)
+void *yyalloc (yy_size_t  size , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
-	return (void *) malloc( size );
+	return malloc(size);
 }
 
-void *settings_parser_realloc  (void * ptr, yy_size_t  size , yyscan_t yyscanner)
+void *yyrealloc  (void * ptr, yy_size_t  size , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
@@ -2857,14 +3044,14 @@ void *settings_parser_realloc  (void * ptr, yy_size_t  size , yyscan_t yyscanner
 	 * any pointer type to void*, and deal with argument conversions
 	 * as though doing an assignment.
 	 */
-	return (void *) realloc( (char *) ptr, size );
+	return realloc(ptr, size);
 }
 
-void settings_parser_free (void * ptr , yyscan_t yyscanner)
+void yyfree (void * ptr , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
-	free( (char *) ptr );	/* see settings_parser_realloc() for (char *) cast */
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
 }
 
 /* %if-tables-serialization definitions */
@@ -2874,8 +3061,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner)
 
 /* %ok-for-header */
 
-#line 236 "settings/settings_lexer.l"
-
+#line 241 "settings/settings_lexer.l"
 
 
 /**
diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l
index 19ab8d7b2..e8c2b9884 100644
--- a/src/libstrongswan/settings/settings_lexer.l
+++ b/src/libstrongswan/settings/settings_lexer.l
@@ -32,6 +32,11 @@ static void include_files(parser_helper_t *ctx);
 /* do not declare unneeded functions */
 %option noinput noyywrap
 
+/* do not include unistd.h as it might conflict with our scanner states */
+%option nounistd
+/* due to that disable interactive mode, which requires isatty() */
+%option never-interactive
+
 /* don't use global variables, and interact properly with bison */
 %option reentrant bison-bridge
 
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 5737e7a17..d4cac5a3b 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -58,6 +58,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
   suites/test_mgf1.c \
   suites/test_ntru.c \
   suites/test_ed25519.c \
+  suites/test_ed448.c \
   suites/test_signature_params.c
 
 libstrongswan_tests_CFLAGS = \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index c5b943572..664c84f3f 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -163,6 +163,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \
 	suites/libstrongswan_tests-test_mgf1.$(OBJEXT) \
 	suites/libstrongswan_tests-test_ntru.$(OBJEXT) \
 	suites/libstrongswan_tests-test_ed25519.$(OBJEXT) \
+	suites/libstrongswan_tests-test_ed448.$(OBJEXT) \
 	suites/libstrongswan_tests-test_signature_params.$(OBJEXT)
 libstrongswan_tests_OBJECTS = $(am_libstrongswan_tests_OBJECTS)
 libstrongswan_tests_DEPENDENCIES =  \
@@ -548,6 +549,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
   suites/test_mgf1.c \
   suites/test_ntru.c \
   suites/test_ed25519.c \
+  suites/test_ed448.c \
   suites/test_signature_params.c
 
 libstrongswan_tests_CFLAGS = \
@@ -708,6 +710,8 @@ suites/libstrongswan_tests-test_ntru.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 suites/libstrongswan_tests-test_ed25519.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/libstrongswan_tests-test_ed448.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 suites/libstrongswan_tests-test_signature_params.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 
@@ -740,6 +744,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po@am__quote@
@@ -1359,6 +1364,20 @@ suites/libstrongswan_tests-test_ed25519.obj: suites/test_ed25519.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi`
 
+suites/libstrongswan_tests-test_ed448.o: suites/test_ed448.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed448.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo -c -o suites/libstrongswan_tests-test_ed448.o `test -f 'suites/test_ed448.c' || echo '$(srcdir)/'`suites/test_ed448.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ed448.c' object='suites/libstrongswan_tests-test_ed448.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed448.o `test -f 'suites/test_ed448.c' || echo '$(srcdir)/'`suites/test_ed448.c
+
+suites/libstrongswan_tests-test_ed448.obj: suites/test_ed448.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed448.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo -c -o suites/libstrongswan_tests-test_ed448.obj `if test -f 'suites/test_ed448.c'; then $(CYGPATH_W) 'suites/test_ed448.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed448.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ed448.c' object='suites/libstrongswan_tests-test_ed448.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed448.obj `if test -f 'suites/test_ed448.c'; then $(CYGPATH_W) 'suites/test_ed448.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed448.c'; fi`
+
 suites/libstrongswan_tests-test_signature_params.o: suites/test_signature_params.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po
diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c
index 86cbb1bc0..c52b90885 100644
--- a/src/libstrongswan/tests/suites/test_ed25519.c
+++ b/src/libstrongswan/tests/suites/test_ed25519.c
@@ -24,10 +24,12 @@ struct sig_test_t {
 	chunk_t pubkey;
 	chunk_t msg;
 	chunk_t sig;
+	chunk_t fp_pk;
+	chunk_t fp_spki;
 };
 
 /**
- * Ed25519 Test Vectors from draft-irtf-cfrg-eddsa
+ * Ed25519 Test Vectors from RFC 8032
  */
 static sig_test_t sig_tests[] = {
 	/* Test 1 */
@@ -51,7 +53,13 @@ static sig_test_t sig_tests[] = {
 		0x01, 0x55, 0x5f, 0xb8, 0x82, 0x15, 0x90, 0xa3, 0x3b, 0xac,
 		0xc6, 0x1e, 0x39, 0x70, 0x1c, 0xf9, 0xb4, 0x6b, 0xd2, 0x5b,
 		0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43,
-		0x8e, 0x7a, 0x10, 0x0b)
+		0x8e, 0x7a, 0x10, 0x0b),
+	  chunk_from_chars(
+		0x5b, 0x27, 0xaa, 0x55, 0x89, 0x17, 0x97, 0x70, 0xe4, 0x75,
+		0x75, 0xb1, 0x62, 0xa1, 0xde, 0xd9, 0x7b, 0x8b, 0xfc, 0x6d),
+	  chunk_from_chars(
+		0xa5, 0x66, 0xbe, 0x19, 0x84, 0x01, 0x73, 0x41, 0x3a, 0x61,
+		0x04, 0x83, 0x50, 0xef, 0xf2, 0x3e, 0x8f, 0xe2, 0x22, 0x66),
 	},
 	/* Test 2 */
 	{ chunk_from_chars(
@@ -75,7 +83,13 @@ static sig_test_t sig_tests[] = {
 		0x69, 0xda, 0x08, 0x5a, 0xc1, 0xe4, 0x3e, 0x15, 0x99, 0x6e,
 		0x45, 0x8f, 0x36, 0x13, 0xd0, 0xf1, 0x1d, 0x8c, 0x38, 0x7b,
 		0x2e, 0xae, 0xb4, 0x30, 0x2a, 0xee, 0xb0, 0x0d, 0x29, 0x16,
-		0x12, 0xbb, 0x0c, 0x00)
+		0x12, 0xbb, 0x0c, 0x00),
+	  chunk_from_chars(
+		0x13, 0xf7, 0x72, 0x66, 0x9e, 0x15, 0x2a, 0xe6, 0xa6, 0x2a,
+		0x60, 0xa3, 0x48, 0x8a, 0x6f, 0x29, 0x7d, 0x06, 0x13, 0xdd),
+	  chunk_from_chars(
+		0xbd, 0xae, 0x41, 0xeb, 0x5d, 0xbf, 0x88, 0xb9, 0xdf, 0x18,
+		0xda, 0xbb, 0x2d, 0xee, 0xa9, 0x1a, 0x4e, 0x03, 0x38, 0xe4),
 	},
 	/* Test 3 */
 	{ chunk_from_chars(
@@ -99,7 +113,13 @@ static sig_test_t sig_tests[] = {
 		0xc3, 0xac, 0x18, 0xff, 0x9b, 0x53, 0x8d, 0x16, 0xf2, 0x90,
 		0xae, 0x67, 0xf7, 0x60, 0x98, 0x4d, 0xc6, 0x59, 0x4a, 0x7c,
 		0x15, 0xe9, 0x71, 0x6e, 0xd2, 0x8d, 0xc0, 0x27, 0xbe, 0xce,
-		0xea, 0x1e, 0xc4, 0x0a)
+		0xea, 0x1e, 0xc4, 0x0a),
+	  chunk_from_chars(
+		0x88, 0xc7, 0x64, 0xc8, 0xbe, 0x44, 0x37, 0x4a, 0x7d, 0x2f,
+		0x5d, 0x84, 0x72, 0x1f, 0x8e, 0x32, 0x5e, 0x5b, 0xd6, 0x4c),
+	  chunk_from_chars(
+		0xad, 0x01, 0x30, 0xb1, 0x2b, 0x48, 0x62, 0x9b, 0xb9, 0xad,
+		0xea, 0x92, 0x1f, 0xfe, 0xd2, 0x9a, 0x42, 0xf0, 0xad, 0xe6),
 	},
 	/* Test 1024 */
 	{ chunk_from_chars(
@@ -235,7 +255,13 @@ static sig_test_t sig_tests[] = {
 		0xc3, 0x50, 0xaa, 0x53, 0x71, 0xb1, 0x50, 0x8f, 0x9f, 0x45,
 		0x28, 0xec, 0xea, 0x23, 0xc4, 0x36, 0xd9, 0x4b, 0x5e, 0x8f,
 		0xcd, 0x4f, 0x68, 0x1e, 0x30, 0xa6, 0xac, 0x00, 0xa9, 0x70,
-		0x4a, 0x18, 0x8a, 0x03)
+		0x4a, 0x18, 0x8a, 0x03),
+	  chunk_from_chars(
+		0x11, 0x2d, 0xb3, 0x08, 0x97, 0x6e, 0x38, 0x8f, 0x5f, 0x5e,
+		0xb0, 0xae, 0x8f, 0x5f, 0x59, 0x1d, 0xff, 0x74, 0xf4, 0x44),
+	  chunk_from_chars(
+		0xcb, 0x36, 0xcc, 0x6a, 0x82, 0x2c, 0x49, 0x40, 0xfb, 0x08,
+		0x04, 0xf6, 0x3a, 0x4f, 0x20, 0x2b, 0xe5, 0x73, 0x43, 0x2f),
 	},
 	/* Test SHA(abc) */
 	{ chunk_from_chars(
@@ -265,7 +291,13 @@ static sig_test_t sig_tests[] = {
 		0xb5, 0x89, 0x09, 0x35, 0x1f, 0xc9, 0xac, 0x90, 0xb3, 0xec,
 		0xfd, 0xfb, 0xc7, 0xc6, 0x64, 0x31, 0xe0, 0x30, 0x3d, 0xca,
 		0x17, 0x9c, 0x13, 0x8a, 0xc1, 0x7a, 0xd9, 0xbe, 0xf1, 0x17,
-		0x73, 0x31, 0xa7, 0x04)
+		0x73, 0x31, 0xa7, 0x04),
+	  chunk_from_chars(
+		0x26, 0x4c, 0xa5, 0x7f, 0x89, 0x6d, 0x64, 0x81, 0xd1, 0x87,
+		0xe9, 0x89, 0x47, 0x29, 0x5a, 0xfe, 0xe3, 0x6d, 0x82, 0x44),
+	  chunk_from_chars(
+		0x27, 0x88, 0xfc, 0x14, 0xb1, 0xcd, 0xd0, 0x24, 0xd5, 0x9d,
+		0x31, 0x65, 0x59, 0x63, 0x69, 0xcf, 0xaf, 0x50, 0x10, 0xe7),
 	}
 };
 
@@ -273,24 +305,34 @@ START_TEST(test_ed25519_sign)
 {
 	private_key_t *key;
 	public_key_t *pubkey, *public;
-	chunk_t sig, encoding;
+	chunk_t sig, encoding, fp;
 
 	/* load private key */
 	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
 					BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END);
 	ck_assert(key != NULL);
 	ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding));
-	ck_assert(chunk_equals(encoding, sig_tests[_i].key));
+	ck_assert_chunk_eq(encoding, sig_tests[_i].key);
 	chunk_free(&encoding);
 
+	ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+	ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
 	/* load public key */
 	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
 					BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END);
 	ck_assert(pubkey != NULL);
 	ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding));
-	ck_assert(chunk_equals(encoding, sig_tests[_i].pubkey));
+	ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey);
 	chunk_free(&encoding);
 
+	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
 	/* compare public keys */
 	public = key->get_public_key(key);
 	ck_assert(public != NULL);
@@ -299,7 +341,7 @@ START_TEST(test_ed25519_sign)
 	/* sign */
 	ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig));
 	ck_assert(sig.len == 64);
-	ck_assert(chunk_equals(sig, sig_tests[_i].sig));
+	ck_assert_chunk_eq(sig, sig_tests[_i].sig);
 
 	/* verify */
 	ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg,
@@ -364,7 +406,7 @@ START_TEST(test_ed25519_gen)
 	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
 	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
 	ck_assert(fp_pub.ptr != NULL);
-	ck_assert(chunk_equals(fp_pub, fp_priv));
+	ck_assert_chunk_eq(fp_pub, fp_priv);
 
 	/* clone public key */
 	pubkey2 = pubkey->get_ref(pubkey);
@@ -429,6 +471,16 @@ static chunk_t zero_pk = chunk_from_chars(
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00);
 
+/* sig_tests[0].sig with s+L */
+static chunk_t malleable_sig = chunk_from_chars(
+	0xe5, 0x56, 0x43, 0x00, 0xc3, 0x60, 0xac, 0x72, 0x90, 0x86,
+	0xe2, 0xcc, 0x80, 0x6e, 0x82, 0x8a, 0x84, 0x87, 0x7f, 0x1e,
+	0xb8, 0xe5, 0xd9, 0x74, 0xd8, 0x73, 0xe0, 0x65, 0x22, 0x49,
+	0x01, 0x55, 0x4c, 0x8c, 0x78, 0x72, 0xaa, 0x06, 0x4e, 0x04,
+	0x9d, 0xbb, 0x30, 0x13, 0xfb, 0xf2, 0x93, 0x80, 0xd2, 0x5b,
+	0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43,
+	0x8e, 0x7a, 0x10, 0x1b);
+
 START_TEST(test_ed25519_fail)
 {
 	private_key_t *key;
@@ -479,6 +531,16 @@ START_TEST(test_ed25519_fail)
 	ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, chunk_empty,
 							  chunk_empty));
 
+	/* RFC 8032, section 5.1.7 requires that 0 <= s < L to prevent signature
+	 * malleability.  Only a warning because Botan and OpenSSL are both
+	 * vulnerable to this. */
+	if (pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+					   malleable_sig))
+	{
+		warn("Ed25519 signature verification is vulnerable to malleable "
+			 "signatures");
+	}
+
 	/* malformed signature */
 	sig = chunk_create(sig1, 64);
 	memcpy(sig1, sig_tests[0].sig.ptr, 64);
diff --git a/src/libstrongswan/tests/suites/test_ed448.c b/src/libstrongswan/tests/suites/test_ed448.c
new file mode 100644
index 000000000..288da19a0
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_ed448.c
@@ -0,0 +1,654 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <time.h>
+
+typedef struct sig_test_t sig_test_t;
+
+struct sig_test_t {
+	chunk_t key;
+	chunk_t pubkey;
+	chunk_t msg;
+	chunk_t sig;
+	chunk_t fp_pk;
+	chunk_t fp_spki;
+};
+
+/**
+ * Ed448 Test Vectors from RFC 8032
+ */
+static sig_test_t sig_tests[] = {
+	/* Blank */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0x6c,0x82,0xa5,0x62,0xcb,0x80,0x8d,0x10,0xd6,0x32,0xbe,0x89,0xc8,0x51,0x3e,0xbf,
+		0x6c,0x92,0x9f,0x34,0xdd,0xfa,0x8c,0x9f,0x63,0xc9,0x96,0x0e,0xf6,0xe3,0x48,0xa3,
+		0x52,0x8c,0x8a,0x3f,0xcc,0x2f,0x04,0x4e,0x39,0xa3,0xfc,0x5b,0x94,0x49,0x2f,0x8f,
+		0x03,0x2e,0x75,0x49,0xa2,0x00,0x98,0xf9,0x5b),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x5f,0xd7,0x44,0x9b,
+		0x59,0xb4,0x61,0xfd,0x2c,0xe7,0x87,0xec,0x61,0x6a,0xd4,0x6a,0x1d,0xa1,0x34,0x24,
+		0x85,0xa7,0x0e,0x1f,0x8a,0x0e,0xa7,0x5d,0x80,0xe9,0x67,0x78,0xed,0xf1,0x24,0x76,
+		0x9b,0x46,0xc7,0x06,0x1b,0xd6,0x78,0x3d,0xf1,0xe5,0x0f,0x6c,0xd1,0xfa,0x1a,0xbe,
+		0xaf,0xe8,0x25,0x61,0x80),
+	  { NULL, 0 },
+	  chunk_from_chars(
+		0x53,0x3a,0x37,0xf6,0xbb,0xe4,0x57,0x25,0x1f,0x02,0x3c,0x0d,0x88,0xf9,0x76,0xae,
+		0x2d,0xfb,0x50,0x4a,0x84,0x3e,0x34,0xd2,0x07,0x4f,0xd8,0x23,0xd4,0x1a,0x59,0x1f,
+		0x2b,0x23,0x3f,0x03,0x4f,0x62,0x82,0x81,0xf2,0xfd,0x7a,0x22,0xdd,0xd4,0x7d,0x78,
+		0x28,0xc5,0x9b,0xd0,0xa2,0x1b,0xfd,0x39,0x80,0xff,0x0d,0x20,0x28,0xd4,0xb1,0x8a,
+		0x9d,0xf6,0x3e,0x00,0x6c,0x5d,0x1c,0x2d,0x34,0x5b,0x92,0x5d,0x8d,0xc0,0x0b,0x41,
+		0x04,0x85,0x2d,0xb9,0x9a,0xc5,0xc7,0xcd,0xda,0x85,0x30,0xa1,0x13,0xa0,0xf4,0xdb,
+		0xb6,0x11,0x49,0xf0,0x5a,0x73,0x63,0x26,0x8c,0x71,0xd9,0x58,0x08,0xff,0x2e,0x65,
+		0x26,0x00),
+	  chunk_from_chars(
+		0x6d,0xe0,0x8a,0x72,0x35,0x1e,0xf1,0xad,0xeb,0xca,0x2c,0xd7,0xf1,0xfd,0xa6,0x91,
+		0x54,0xad,0xfa,0x4f),
+	  chunk_from_chars(
+		0x1b,0x7a,0x47,0x56,0x91,0xb8,0x41,0x33,0x0d,0x2e,0x4d,0xa5,0xe6,0x13,0xb9,0x89,
+		0xda,0xce,0xc5,0x8e),
+	},
+	/* 1 octet */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0xc4,0xea,0xb0,0x5d,0x35,0x70,0x07,0xc6,0x32,0xf3,0xdb,0xb4,0x84,0x89,0x92,0x4d,
+		0x55,0x2b,0x08,0xfe,0x0c,0x35,0x3a,0x0d,0x4a,0x1f,0x00,0xac,0xda,0x2c,0x46,0x3a,
+		0xfb,0xea,0x67,0xc5,0xe8,0xd2,0x87,0x7c,0x5e,0x3b,0xc3,0x97,0xa6,0x59,0x94,0x9e,
+		0xf8,0x02,0x1e,0x95,0x4e,0x0a,0x12,0x27,0x4e),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x43,0xba,0x28,0xf4,
+		0x30,0xcd,0xff,0x45,0x6a,0xe5,0x31,0x54,0x5f,0x7e,0xcd,0x0a,0xc8,0x34,0xa5,0x5d,
+		0x93,0x58,0xc0,0x37,0x2b,0xfa,0x0c,0x6c,0x67,0x98,0xc0,0x86,0x6a,0xea,0x01,0xeb,
+		0x00,0x74,0x28,0x02,0xb8,0x43,0x8e,0xa4,0xcb,0x82,0x16,0x9c,0x23,0x51,0x60,0x62,
+		0x7b,0x4c,0x3a,0x94,0x80),
+	  chunk_from_chars(
+		0x03),
+	  chunk_from_chars(
+		0x26,0xb8,0xf9,0x17,0x27,0xbd,0x62,0x89,0x7a,0xf1,0x5e,0x41,0xeb,0x43,0xc3,0x77,
+		0xef,0xb9,0xc6,0x10,0xd4,0x8f,0x23,0x35,0xcb,0x0b,0xd0,0x08,0x78,0x10,0xf4,0x35,
+		0x25,0x41,0xb1,0x43,0xc4,0xb9,0x81,0xb7,0xe1,0x8f,0x62,0xde,0x8c,0xcd,0xf6,0x33,
+		0xfc,0x1b,0xf0,0x37,0xab,0x7c,0xd7,0x79,0x80,0x5e,0x0d,0xbc,0xc0,0xaa,0xe1,0xcb,
+		0xce,0xe1,0xaf,0xb2,0xe0,0x27,0xdf,0x36,0xbc,0x04,0xdc,0xec,0xbf,0x15,0x43,0x36,
+		0xc1,0x9f,0x0a,0xf7,0xe0,0xa6,0x47,0x29,0x05,0xe7,0x99,0xf1,0x95,0x3d,0x2a,0x0f,
+		0xf3,0x34,0x8a,0xb2,0x1a,0xa4,0xad,0xaf,0xd1,0xd2,0x34,0x44,0x1c,0xf8,0x07,0xc0,
+		0x3a,0x00),
+	  chunk_from_chars(
+		0x74,0xa7,0x4b,0x23,0x69,0x98,0x17,0x46,0x1f,0xca,0xcf,0x84,0xf7,0xc6,0x3e,0x05,
+		0x2a,0x1b,0xf9,0xb8),
+	  chunk_from_chars(
+		0xf6,0x76,0xf7,0x63,0x82,0x2b,0x53,0x5c,0x61,0x9c,0xfa,0x4a,0x59,0x7d,0xdd,0xae,
+		0x13,0x34,0xf0,0xb1),
+	},
+	/* 11 octets */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0xcd,0x23,0xd2,0x4f,0x71,0x42,0x74,0xe7,0x44,0x34,0x32,0x37,0xb9,0x32,0x90,0xf5,
+		0x11,0xf6,0x42,0x5f,0x98,0xe6,0x44,0x59,0xff,0x20,0x3e,0x89,0x85,0x08,0x3f,0xfd,
+		0xf6,0x05,0x00,0x55,0x3a,0xbc,0x0e,0x05,0xcd,0x02,0x18,0x4b,0xdb,0x89,0xc4,0xcc,
+		0xd6,0x7e,0x18,0x79,0x51,0x26,0x7e,0xb3,0x28),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xdc,0xea,0x9e,0x78,
+		0xf3,0x5a,0x1b,0xf3,0x49,0x9a,0x83,0x1b,0x10,0xb8,0x6c,0x90,0xaa,0xc0,0x1c,0xd8,
+		0x4b,0x67,0xa0,0x10,0x9b,0x55,0xa3,0x6e,0x93,0x28,0xb1,0xe3,0x65,0xfc,0xe1,0x61,
+		0xd7,0x1c,0xe7,0x13,0x1a,0x54,0x3e,0xa4,0xcb,0x5f,0x7e,0x9f,0x1d,0x8b,0x00,0x69,
+		0x64,0x47,0x00,0x14,0x00),
+	  chunk_from_chars(
+		0x0c,0x3e,0x54,0x40,0x74,0xec,0x63,0xb0,0x26,0x5e,0x0c),
+	  chunk_from_chars(
+		0x1f,0x0a,0x88,0x88,0xce,0x25,0xe8,0xd4,0x58,0xa2,0x11,0x30,0x87,0x9b,0x84,0x0a,
+		0x90,0x89,0xd9,0x99,0xaa,0xba,0x03,0x9e,0xaf,0x3e,0x3a,0xfa,0x09,0x0a,0x09,0xd3,
+		0x89,0xdb,0xa8,0x2c,0x4f,0xf2,0xae,0x8a,0xc5,0xcd,0xfb,0x7c,0x55,0xe9,0x4d,0x5d,
+		0x96,0x1a,0x29,0xfe,0x01,0x09,0x94,0x1e,0x00,0xb8,0xdb,0xde,0xea,0x6d,0x3b,0x05,
+		0x10,0x68,0xdf,0x72,0x54,0xc0,0xcd,0xc1,0x29,0xcb,0xe6,0x2d,0xb2,0xdc,0x95,0x7d,
+		0xbb,0x47,0xb5,0x1f,0xd3,0xf2,0x13,0xfb,0x86,0x98,0xf0,0x64,0x77,0x42,0x50,0xa5,
+		0x02,0x89,0x61,0xc9,0xbf,0x8f,0xfd,0x97,0x3f,0xe5,0xd5,0xc2,0x06,0x49,0x2b,0x14,
+		0x0e,0x00),
+	  chunk_from_chars(
+		0x3b,0x56,0x55,0xa4,0xce,0x4c,0xec,0x67,0x77,0x9c,0x9f,0xeb,0xfe,0x6f,0x38,0xba,
+		0x88,0xc2,0x25,0x10),
+	  chunk_from_chars(
+		0x71,0xcb,0xf2,0xb7,0x1b,0x3b,0x77,0xcb,0xd6,0x41,0x05,0x02,0x72,0x31,0xa6,0x91,
+		0x27,0x3f,0xe5,0x51),
+	},
+	/* 12 octets */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0x25,0x8c,0xdd,0x4a,0xda,0x32,0xed,0x9c,0x9f,0xf5,0x4e,0x63,0x75,0x6a,0xe5,0x82,
+		0xfb,0x8f,0xab,0x2a,0xc7,0x21,0xf2,0xc8,0xe6,0x76,0xa7,0x27,0x68,0x51,0x3d,0x93,
+		0x9f,0x63,0xdd,0xdb,0x55,0x60,0x91,0x33,0xf2,0x9a,0xdf,0x86,0xec,0x99,0x29,0xdc,
+		0xcb,0x52,0xc1,0xc5,0xfd,0x2f,0xf7,0xe2,0x1b),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x3b,0xa1,0x6d,0xa0,
+		0xc6,0xf2,0xcc,0x1f,0x30,0x18,0x77,0x40,0x75,0x6f,0x5e,0x79,0x8d,0x6b,0xc5,0xfc,
+		0x01,0x5d,0x7c,0x63,0xcc,0x95,0x10,0xee,0x3f,0xd4,0x4a,0xdc,0x24,0xd8,0xe9,0x68,
+		0xb6,0xe4,0x6e,0x6f,0x94,0xd1,0x9b,0x94,0x53,0x61,0x72,0x6b,0xd7,0x5e,0x14,0x9e,
+		0xf0,0x98,0x17,0xf5,0x80),
+	  chunk_from_chars(
+		0x64,0xa6,0x5f,0x3c,0xde,0xdc,0xdd,0x66,0x81,0x1e,0x29,0x15),
+	  chunk_from_chars(
+		0x7e,0xee,0xab,0x7c,0x4e,0x50,0xfb,0x79,0x9b,0x41,0x8e,0xe5,0xe3,0x19,0x7f,0xf6,
+		0xbf,0x15,0xd4,0x3a,0x14,0xc3,0x43,0x89,0xb5,0x9d,0xd1,0xa7,0xb1,0xb8,0x5b,0x4a,
+		0xe9,0x04,0x38,0xac,0xa6,0x34,0xbe,0xa4,0x5e,0x3a,0x26,0x95,0xf1,0x27,0x0f,0x07,
+		0xfd,0xcd,0xf7,0xc6,0x2b,0x8e,0xfe,0xaf,0x00,0xb4,0x5c,0x2c,0x96,0xba,0x45,0x7e,
+		0xb1,0xa8,0xbf,0x07,0x5a,0x3d,0xb2,0x8e,0x5c,0x24,0xf6,0xb9,0x23,0xed,0x4a,0xd7,
+		0x47,0xc3,0xc9,0xe0,0x3c,0x70,0x79,0xef,0xb8,0x7c,0xb1,0x10,0xd3,0xa9,0x98,0x61,
+		0xe7,0x20,0x03,0xcb,0xae,0x6d,0x6b,0x8b,0x82,0x7e,0x4e,0x6c,0x14,0x30,0x64,0xff,
+		0x3c,0x00),
+	  chunk_from_chars(
+		0x56,0x8e,0xad,0x67,0xa7,0x83,0x78,0xfe,0x8f,0xaf,0xa7,0x87,0x2e,0xc8,0x95,0xa0,
+		0xde,0x05,0x37,0x4c),
+	  chunk_from_chars(
+		0xed,0x1b,0xe5,0xa1,0x97,0x23,0x59,0x4d,0x86,0x6b,0x6b,0xef,0xfb,0x81,0xe4,0x8e,
+		0xf7,0x42,0xe0,0x81),
+	},
+	/* 13 octets */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0x7e,0xf4,0xe8,0x45,0x44,0x23,0x67,0x52,0xfb,0xb5,0x6b,0x8f,0x31,0xa2,0x3a,0x10,
+		0xe4,0x28,0x14,0xf5,0xf5,0x5c,0xa0,0x37,0xcd,0xcc,0x11,0xc6,0x4c,0x9a,0x3b,0x29,
+		0x49,0xc1,0xbb,0x60,0x70,0x03,0x14,0x61,0x17,0x32,0xa6,0xc2,0xfe,0xa9,0x8e,0xeb,
+		0xc0,0x26,0x6a,0x11,0xa9,0x39,0x70,0x10,0x0e),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xb3,0xda,0x07,0x9b,
+		0x0a,0xa4,0x93,0xa5,0x77,0x20,0x29,0xf0,0x46,0x7b,0xae,0xbe,0xe5,0xa8,0x11,0x2d,
+		0x9d,0x3a,0x22,0x53,0x23,0x61,0xda,0x29,0x4f,0x7b,0xb3,0x81,0x5c,0x5d,0xc5,0x9e,
+		0x17,0x6b,0x4d,0x9f,0x38,0x1c,0xa0,0x93,0x8e,0x13,0xc6,0xc0,0x7b,0x17,0x4b,0xe6,
+		0x5d,0xfa,0x57,0x8e,0x80),
+	  chunk_from_chars(
+		0x64,0xa6,0x5f,0x3c,0xde,0xdc,0xdd,0x66,0x81,0x1e,0x29,0x15,0xe7),
+	  chunk_from_chars(
+		0x6a,0x12,0x06,0x6f,0x55,0x33,0x1b,0x6c,0x22,0xac,0xd5,0xd5,0xbf,0xc5,0xd7,0x12,
+		0x28,0xfb,0xda,0x80,0xae,0x8d,0xec,0x26,0xbd,0xd3,0x06,0x74,0x3c,0x50,0x27,0xcb,
+		0x48,0x90,0x81,0x0c,0x16,0x2c,0x02,0x74,0x68,0x67,0x5e,0xcf,0x64,0x5a,0x83,0x17,
+		0x6c,0x0d,0x73,0x23,0xa2,0xcc,0xde,0x2d,0x80,0xef,0xe5,0xa1,0x26,0x8e,0x8a,0xca,
+		0x1d,0x6f,0xbc,0x19,0x4d,0x3f,0x77,0xc4,0x49,0x86,0xeb,0x4a,0xb4,0x17,0x79,0x19,
+		0xad,0x8b,0xec,0x33,0xeb,0x47,0xbb,0xb5,0xfc,0x6e,0x28,0x19,0x6f,0xd1,0xca,0xf5,
+		0x6b,0x4e,0x7e,0x0b,0xa5,0x51,0x92,0x34,0xd0,0x47,0x15,0x5a,0xc7,0x27,0xa1,0x05,
+		0x31,0x00),
+	  chunk_from_chars(
+		0x6e,0xb1,0xb6,0x33,0x76,0xa8,0x0f,0x84,0x26,0x23,0xfb,0xaa,0x9e,0xaa,0x1d,0x8d,
+		0x6d,0xa5,0x75,0x4e),
+	  chunk_from_chars(
+		0xfa,0x2f,0xeb,0xff,0x13,0xc0,0xee,0xd0,0x3b,0xc6,0xf2,0x7d,0xb8,0x61,0xe5,0x9d,
+		0x16,0x53,0xb1,0x11),
+	},
+	/* 64 octets */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0xd6,0x5d,0xf3,0x41,0xad,0x13,0xe0,0x08,0x56,0x76,0x88,0xba,0xed,0xda,0x8e,0x9d,
+		0xcd,0xc1,0x7d,0xc0,0x24,0x97,0x4e,0xa5,0xb4,0x22,0x7b,0x65,0x30,0xe3,0x39,0xbf,
+		0xf2,0x1f,0x99,0xe6,0x8c,0xa6,0x96,0x8f,0x3c,0xca,0x6d,0xfe,0x0f,0xb9,0xf4,0xfa,
+		0xb4,0xfa,0x13,0x5d,0x55,0x42,0xea,0x3f,0x01),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xdf,0x97,0x05,0xf5,
+		0x8e,0xdb,0xab,0x80,0x2c,0x7f,0x83,0x63,0xcf,0xe5,0x56,0x0a,0xb1,0xc6,0x13,0x2c,
+		0x20,0xa9,0xf1,0xdd,0x16,0x34,0x83,0xa2,0x6f,0x8a,0xc5,0x3a,0x39,0xd6,0x80,0x8b,
+		0xf4,0xa1,0xdf,0xbd,0x26,0x1b,0x09,0x9b,0xb0,0x3b,0x3f,0xb5,0x09,0x06,0xcb,0x28,
+		0xbd,0x8a,0x08,0x1f,0x00),
+	  chunk_from_chars(
+		0xbd,0x0f,0x6a,0x37,0x47,0xcd,0x56,0x1b,0xdd,0xdf,0x46,0x40,0xa3,0x32,0x46,0x1a,
+		0x4a,0x30,0xa1,0x2a,0x43,0x4c,0xd0,0xbf,0x40,0xd7,0x66,0xd9,0xc6,0xd4,0x58,0xe5,
+		0x51,0x22,0x04,0xa3,0x0c,0x17,0xd1,0xf5,0x0b,0x50,0x79,0x63,0x1f,0x64,0xeb,0x31,
+		0x12,0x18,0x2d,0xa3,0x00,0x58,0x35,0x46,0x11,0x13,0x71,0x8d,0x1a,0x5e,0xf9,0x44),
+	  chunk_from_chars(
+		0x55,0x4b,0xc2,0x48,0x08,0x60,0xb4,0x9e,0xab,0x85,0x32,0xd2,0xa5,0x33,0xb7,0xd5,
+		0x78,0xef,0x47,0x3e,0xeb,0x58,0xc9,0x8b,0xb2,0xd0,0xe1,0xce,0x48,0x8a,0x98,0xb1,
+		0x8d,0xfd,0xe9,0xb9,0xb9,0x07,0x75,0xe6,0x7f,0x47,0xd4,0xa1,0xc3,0x48,0x20,0x58,
+		0xef,0xc9,0xf4,0x0d,0x2c,0xa0,0x33,0xa0,0x80,0x1b,0x63,0xd4,0x5b,0x3b,0x72,0x2e,
+		0xf5,0x52,0xba,0xd3,0xb4,0xcc,0xb6,0x67,0xda,0x35,0x01,0x92,0xb6,0x1c,0x50,0x8c,
+		0xf7,0xb6,0xb5,0xad,0xad,0xc2,0xc8,0xd9,0xa4,0x46,0xef,0x00,0x3f,0xb0,0x5c,0xba,
+		0x5f,0x30,0xe8,0x8e,0x36,0xec,0x27,0x03,0xb3,0x49,0xca,0x22,0x9c,0x26,0x70,0x83,
+		0x39,0x00),
+	  chunk_from_chars(
+		0x2b,0xb0,0xd4,0x29,0xb8,0x51,0x3f,0xb5,0x9d,0x07,0xd0,0xb0,0x1f,0x4a,0x39,0x25,
+		0x33,0xae,0x3e,0x64),
+	  chunk_from_chars(
+		0x79,0xbb,0x37,0xe4,0x2a,0xf9,0x58,0xb7,0xa4,0x58,0x18,0x88,0x4b,0x82,0x8f,0xfb,
+		0x9c,0x74,0xce,0x9d),
+	},
+	/* 256 octets */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0x2e,0xc5,0xfe,0x3c,0x17,0x04,0x5a,0xbd,0xb1,0x36,0xa5,0xe6,0xa9,0x13,0xe3,0x2a,
+		0xb7,0x5a,0xe6,0x8b,0x53,0xd2,0xfc,0x14,0x9b,0x77,0xe5,0x04,0x13,0x2d,0x37,0x56,
+		0x9b,0x7e,0x76,0x6b,0xa7,0x4a,0x19,0xbd,0x61,0x62,0x34,0x3a,0x21,0xc8,0x59,0x0a,
+		0xa9,0xce,0xbc,0xa9,0x01,0x4c,0x63,0x6d,0xf5),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x79,0x75,0x6f,0x01,
+		0x4d,0xcf,0xe2,0x07,0x9f,0x5d,0xd9,0xe7,0x18,0xbe,0x41,0x71,0xe2,0xef,0x24,0x86,
+		0xa0,0x8f,0x25,0x18,0x6f,0x6b,0xff,0x43,0xa9,0x93,0x6b,0x9b,0xfe,0x12,0x40,0x2b,
+		0x08,0xae,0x65,0x79,0x8a,0x3d,0x81,0xe2,0x2e,0x9e,0xc8,0x0e,0x76,0x90,0x86,0x2e,
+		0xf3,0xd4,0xed,0x3a,0x00),
+	  chunk_from_chars(
+		0x15,0x77,0x75,0x32,0xb0,0xbd,0xd0,0xd1,0x38,0x9f,0x63,0x6c,0x5f,0x6b,0x9b,0xa7,
+		0x34,0xc9,0x0a,0xf5,0x72,0x87,0x7e,0x2d,0x27,0x2d,0xd0,0x78,0xaa,0x1e,0x56,0x7c,
+		0xfa,0x80,0xe1,0x29,0x28,0xbb,0x54,0x23,0x30,0xe8,0x40,0x9f,0x31,0x74,0x50,0x41,
+		0x07,0xec,0xd5,0xef,0xac,0x61,0xae,0x75,0x04,0xda,0xbe,0x2a,0x60,0x2e,0xde,0x89,
+		0xe5,0xcc,0xa6,0x25,0x7a,0x7c,0x77,0xe2,0x7a,0x70,0x2b,0x3a,0xe3,0x9f,0xc7,0x69,
+		0xfc,0x54,0xf2,0x39,0x5a,0xe6,0xa1,0x17,0x8c,0xab,0x47,0x38,0xe5,0x43,0x07,0x2f,
+		0xc1,0xc1,0x77,0xfe,0x71,0xe9,0x2e,0x25,0xbf,0x03,0xe4,0xec,0xb7,0x2f,0x47,0xb6,
+		0x4d,0x04,0x65,0xaa,0xea,0x4c,0x7f,0xad,0x37,0x25,0x36,0xc8,0xba,0x51,0x6a,0x60,
+		0x39,0xc3,0xc2,0xa3,0x9f,0x0e,0x4d,0x83,0x2b,0xe4,0x32,0xdf,0xa9,0xa7,0x06,0xa6,
+		0xe5,0xc7,0xe1,0x9f,0x39,0x79,0x64,0xca,0x42,0x58,0x00,0x2f,0x7c,0x05,0x41,0xb5,
+		0x90,0x31,0x6d,0xbc,0x56,0x22,0xb6,0xb2,0xa6,0xfe,0x7a,0x4a,0xbf,0xfd,0x96,0x10,
+		0x5e,0xca,0x76,0xea,0x7b,0x98,0x81,0x6a,0xf0,0x74,0x8c,0x10,0xdf,0x04,0x8c,0xe0,
+		0x12,0xd9,0x01,0x01,0x5a,0x51,0xf1,0x89,0xf3,0x88,0x81,0x45,0xc0,0x36,0x50,0xaa,
+		0x23,0xce,0x89,0x4c,0x3b,0xd8,0x89,0xe0,0x30,0xd5,0x65,0x07,0x1c,0x59,0xf4,0x09,
+		0xa9,0x98,0x1b,0x51,0x87,0x8f,0xd6,0xfc,0x11,0x06,0x24,0xdc,0xbc,0xde,0x0b,0xf7,
+		0xa6,0x9c,0xcc,0xe3,0x8f,0xab,0xdf,0x86,0xf3,0xbe,0xf6,0x04,0x48,0x19,0xde,0x11),
+	  chunk_from_chars(
+		0xc6,0x50,0xdd,0xbb,0x06,0x01,0xc1,0x9c,0xa1,0x14,0x39,0xe1,0x64,0x0d,0xd9,0x31,
+		0xf4,0x3c,0x51,0x8e,0xa5,0xbe,0xa7,0x0d,0x3d,0xcd,0xe5,0xf4,0x19,0x1f,0xe5,0x3f,
+		0x00,0xcf,0x96,0x65,0x46,0xb7,0x2b,0xcc,0x7d,0x58,0xbe,0x2b,0x9b,0xad,0xef,0x28,
+		0x74,0x39,0x54,0xe3,0xa4,0x4a,0x23,0xf8,0x80,0xe8,0xd4,0xf1,0xcf,0xce,0x2d,0x7a,
+		0x61,0x45,0x2d,0x26,0xda,0x05,0x89,0x6f,0x0a,0x50,0xda,0x66,0xa2,0x39,0xa8,0xa1,
+		0x88,0xb6,0xd8,0x25,0xb3,0x30,0x5a,0xd7,0x7b,0x73,0xfb,0xac,0x08,0x36,0xec,0xc6,
+		0x09,0x87,0xfd,0x08,0x52,0x7c,0x1a,0x8e,0x80,0xd5,0x82,0x3e,0x65,0xca,0xfe,0x2a,
+		0x3d,0x00),
+	  chunk_from_chars(
+		0xfc,0x02,0xc5,0x25,0x74,0x09,0x8f,0xbb,0xaf,0x8c,0xad,0x02,0x14,0x9d,0xef,0x0d,
+		0x94,0xb7,0x96,0x5f),
+	  chunk_from_chars(
+		0x63,0x03,0x8e,0x1f,0xcc,0x69,0x1e,0x2f,0x9d,0xb3,0x57,0x0f,0xad,0xbc,0x01,0x35,
+		0x63,0xdb,0x06,0xba),
+	},
+	/* 1023 octets */
+	{ chunk_from_chars(
+		0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+		0x87,0x2d,0x09,0x37,0x80,0xf5,0xd3,0x73,0x0d,0xf7,0xc2,0x12,0x66,0x4b,0x37,0xb8,
+		0xa0,0xf2,0x4f,0x56,0x81,0x0d,0xaa,0x83,0x82,0xcd,0x4f,0xa3,0xf7,0x76,0x34,0xec,
+		0x44,0xdc,0x54,0xf1,0xc2,0xed,0x9b,0xea,0x86,0xfa,0xfb,0x76,0x32,0xd8,0xbe,0x19,
+		0x9e,0xa1,0x65,0xf5,0xad,0x55,0xdd,0x9c,0xe8),
+	  chunk_from_chars(
+		0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xa8,0x1b,0x2e,0x8a,
+		0x70,0xa5,0xac,0x94,0xff,0xdb,0xcc,0x9b,0xad,0xfc,0x3f,0xeb,0x08,0x01,0xf2,0x58,
+		0x57,0x8b,0xb1,0x14,0xad,0x44,0xec,0xe1,0xec,0x0e,0x79,0x9d,0xa0,0x8e,0xff,0xb8,
+		0x1c,0x5d,0x68,0x5c,0x0c,0x56,0xf6,0x4e,0xec,0xae,0xf8,0xcd,0xf1,0x1c,0xc3,0x87,
+		0x37,0x83,0x8c,0xf4,0x00),
+	  chunk_from_chars(
+		0x6d,0xdf,0x80,0x2e,0x1a,0xae,0x49,0x86,0x93,0x5f,0x7f,0x98,0x1b,0xa3,0xf0,0x35,
+		0x1d,0x62,0x73,0xc0,0xa0,0xc2,0x2c,0x9c,0x0e,0x83,0x39,0x16,0x8e,0x67,0x54,0x12,
+		0xa3,0xde,0xbf,0xaf,0x43,0x5e,0xd6,0x51,0x55,0x80,0x07,0xdb,0x43,0x84,0xb6,0x50,
+		0xfc,0xc0,0x7e,0x3b,0x58,0x6a,0x27,0xa4,0xf7,0xa0,0x0a,0xc8,0xa6,0xfe,0xc2,0xcd,
+		0x86,0xae,0x4b,0xf1,0x57,0x0c,0x41,0xe6,0xa4,0x0c,0x93,0x1d,0xb2,0x7b,0x2f,0xaa,
+		0x15,0xa8,0xce,0xdd,0x52,0xcf,0xf7,0x36,0x2c,0x4e,0x6e,0x23,0xda,0xec,0x0f,0xbc,
+		0x3a,0x79,0xb6,0x80,0x6e,0x31,0x6e,0xfc,0xc7,0xb6,0x81,0x19,0xbf,0x46,0xbc,0x76,
+		0xa2,0x60,0x67,0xa5,0x3f,0x29,0x6d,0xaf,0xdb,0xdc,0x11,0xc7,0x7f,0x77,0x77,0xe9,
+		0x72,0x66,0x0c,0xf4,0xb6,0xa9,0xb3,0x69,0xa6,0x66,0x5f,0x02,0xe0,0xcc,0x9b,0x6e,
+		0xdf,0xad,0x13,0x6b,0x4f,0xab,0xe7,0x23,0xd2,0x81,0x3d,0xb3,0x13,0x6c,0xfd,0xe9,
+		0xb6,0xd0,0x44,0x32,0x2f,0xee,0x29,0x47,0x95,0x2e,0x03,0x1b,0x73,0xab,0x5c,0x60,
+		0x33,0x49,0xb3,0x07,0xbd,0xc2,0x7b,0xc6,0xcb,0x8b,0x8b,0xbd,0x7b,0xd3,0x23,0x21,
+		0x9b,0x80,0x33,0xa5,0x81,0xb5,0x9e,0xad,0xeb,0xb0,0x9b,0x3c,0x4f,0x3d,0x22,0x77,
+		0xd4,0xf0,0x34,0x36,0x24,0xac,0xc8,0x17,0x80,0x47,0x28,0xb2,0x5a,0xb7,0x97,0x17,
+		0x2b,0x4c,0x5c,0x21,0xa2,0x2f,0x9c,0x78,0x39,0xd6,0x43,0x00,0x23,0x2e,0xb6,0x6e,
+		0x53,0xf3,0x1c,0x72,0x3f,0xa3,0x7f,0xe3,0x87,0xc7,0xd3,0xe5,0x0b,0xdf,0x98,0x13,
+		0xa3,0x0e,0x5b,0xb1,0x2c,0xf4,0xcd,0x93,0x0c,0x40,0xcf,0xb4,0xe1,0xfc,0x62,0x25,
+		0x92,0xa4,0x95,0x88,0x79,0x44,0x94,0xd5,0x6d,0x24,0xea,0x4b,0x40,0xc8,0x9f,0xc0,
+		0x59,0x6c,0xc9,0xeb,0xb9,0x61,0xc8,0xcb,0x10,0xad,0xde,0x97,0x6a,0x5d,0x60,0x2b,
+		0x1c,0x3f,0x85,0xb9,0xb9,0xa0,0x01,0xed,0x3c,0x6a,0x4d,0x3b,0x14,0x37,0xf5,0x20,
+		0x96,0xcd,0x19,0x56,0xd0,0x42,0xa5,0x97,0xd5,0x61,0xa5,0x96,0xec,0xd3,0xd1,0x73,
+		0x5a,0x8d,0x57,0x0e,0xa0,0xec,0x27,0x22,0x5a,0x2c,0x4a,0xaf,0xf2,0x63,0x06,0xd1,
+		0x52,0x6c,0x1a,0xf3,0xca,0x6d,0x9c,0xf5,0xa2,0xc9,0x8f,0x47,0xe1,0xc4,0x6d,0xb9,
+		0xa3,0x32,0x34,0xcf,0xd4,0xd8,0x1f,0x2c,0x98,0x53,0x8a,0x09,0xeb,0xe7,0x69,0x98,
+		0xd0,0xd8,0xfd,0x25,0x99,0x7c,0x7d,0x25,0x5c,0x6d,0x66,0xec,0xe6,0xfa,0x56,0xf1,
+		0x11,0x44,0x95,0x0f,0x02,0x77,0x95,0xe6,0x53,0x00,0x8f,0x4b,0xd7,0xca,0x2d,0xee,
+		0x85,0xd8,0xe9,0x0f,0x3d,0xc3,0x15,0x13,0x0c,0xe2,0xa0,0x03,0x75,0xa3,0x18,0xc7,
+		0xc3,0xd9,0x7b,0xe2,0xc8,0xce,0x5b,0x6d,0xb4,0x1a,0x62,0x54,0xff,0x26,0x4f,0xa6,
+		0x15,0x5b,0xae,0xe3,0xb0,0x77,0x3c,0x0f,0x49,0x7c,0x57,0x3f,0x19,0xbb,0x4f,0x42,
+		0x40,0x28,0x1f,0x0b,0x1f,0x4f,0x7b,0xe8,0x57,0xa4,0xe5,0x9d,0x41,0x6c,0x06,0xb4,
+		0xc5,0x0f,0xa0,0x9e,0x18,0x10,0xdd,0xc6,0xb1,0x46,0x7b,0xae,0xac,0x5a,0x36,0x68,
+		0xd1,0x1b,0x6e,0xca,0xa9,0x01,0x44,0x00,0x16,0xf3,0x89,0xf8,0x0a,0xcc,0x4d,0xb9,
+		0x77,0x02,0x5e,0x7f,0x59,0x24,0x38,0x8c,0x7e,0x34,0x0a,0x73,0x2e,0x55,0x44,0x40,
+		0xe7,0x65,0x70,0xf8,0xdd,0x71,0xb7,0xd6,0x40,0xb3,0x45,0x0d,0x1f,0xd5,0xf0,0x41,
+		0x0a,0x18,0xf9,0xa3,0x49,0x4f,0x70,0x7c,0x71,0x7b,0x79,0xb4,0xbf,0x75,0xc9,0x84,
+		0x00,0xb0,0x96,0xb2,0x16,0x53,0xb5,0xd2,0x17,0xcf,0x35,0x65,0xc9,0x59,0x74,0x56,
+		0xf7,0x07,0x03,0x49,0x7a,0x07,0x87,0x63,0x82,0x9b,0xc0,0x1b,0xb1,0xcb,0xc8,0xfa,
+		0x04,0xea,0xdc,0x9a,0x6e,0x3f,0x66,0x99,0x58,0x7a,0x9e,0x75,0xc9,0x4e,0x5b,0xab,
+		0x00,0x36,0xe0,0xb2,0xe7,0x11,0x39,0x2c,0xff,0x00,0x47,0xd0,0xd6,0xb0,0x5b,0xd2,
+		0xa5,0x88,0xbc,0x10,0x97,0x18,0x95,0x42,0x59,0xf1,0xd8,0x66,0x78,0xa5,0x79,0xa3,
+		0x12,0x0f,0x19,0xcf,0xb2,0x96,0x3f,0x17,0x7a,0xeb,0x70,0xf2,0xd4,0x84,0x48,0x26,
+		0x26,0x2e,0x51,0xb8,0x02,0x71,0x27,0x20,0x68,0xef,0x5b,0x38,0x56,0xfa,0x85,0x35,
+		0xaa,0x2a,0x88,0xb2,0xd4,0x1f,0x2a,0x0e,0x2f,0xda,0x76,0x24,0xc2,0x85,0x02,0x72,
+		0xac,0x4a,0x2f,0x56,0x1f,0x8f,0x2f,0x7a,0x31,0x8b,0xfd,0x5c,0xaf,0x96,0x96,0x14,
+		0x9e,0x4a,0xc8,0x24,0xad,0x34,0x60,0x53,0x8f,0xdc,0x25,0x42,0x1b,0xee,0xc2,0xcc,
+		0x68,0x18,0x16,0x2d,0x06,0xbb,0xed,0x0c,0x40,0xa3,0x87,0x19,0x23,0x49,0xdb,0x67,
+		0xa1,0x18,0xba,0xda,0x6c,0xd5,0xab,0x01,0x40,0xee,0x27,0x32,0x04,0xf6,0x28,0xaa,
+		0xd1,0xc1,0x35,0xf7,0x70,0x27,0x9a,0x65,0x1e,0x24,0xd8,0xc1,0x4d,0x75,0xa6,0x05,
+		0x9d,0x76,0xb9,0x6a,0x6f,0xd8,0x57,0xde,0xf5,0xe0,0xb3,0x54,0xb2,0x7a,0xb9,0x37,
+		0xa5,0x81,0x5d,0x16,0xb5,0xfa,0xe4,0x07,0xff,0x18,0x22,0x2c,0x6d,0x1e,0xd2,0x63,
+		0xbe,0x68,0xc9,0x5f,0x32,0xd9,0x08,0xbd,0x89,0x5c,0xd7,0x62,0x07,0xae,0x72,0x64,
+		0x87,0x56,0x7f,0x9a,0x67,0xda,0xd7,0x9a,0xbe,0xc3,0x16,0xf6,0x83,0xb1,0x7f,0x2d,
+		0x02,0xbf,0x07,0xe0,0xac,0x8b,0x5b,0xc6,0x16,0x2c,0xf9,0x46,0x97,0xb3,0xc2,0x7c,
+		0xd1,0xfe,0xa4,0x9b,0x27,0xf2,0x3b,0xa2,0x90,0x18,0x71,0x96,0x25,0x06,0x52,0x0c,
+		0x39,0x2d,0xa8,0xb6,0xad,0x0d,0x99,0xf7,0x01,0x3f,0xbc,0x06,0xc2,0xc1,0x7a,0x56,
+		0x95,0x00,0xc8,0xa7,0x69,0x64,0x81,0xc1,0xcd,0x33,0xe9,0xb1,0x4e,0x40,0xb8,0x2e,
+		0x79,0xa5,0xf5,0xdb,0x82,0x57,0x1b,0xa9,0x7b,0xae,0x3a,0xd3,0xe0,0x47,0x95,0x15,
+		0xbb,0x0e,0x2b,0x0f,0x3b,0xfc,0xd1,0xfd,0x33,0x03,0x4e,0xfc,0x62,0x45,0xed,0xdd,
+		0x7e,0xe2,0x08,0x6d,0xda,0xe2,0x60,0x0d,0x8c,0xa7,0x3e,0x21,0x4e,0x8c,0x2b,0x0b,
+		0xdb,0x2b,0x04,0x7c,0x6a,0x46,0x4a,0x56,0x2e,0xd7,0x7b,0x73,0xd2,0xd8,0x41,0xc4,
+		0xb3,0x49,0x73,0x55,0x12,0x57,0x71,0x3b,0x75,0x36,0x32,0xef,0xba,0x34,0x81,0x69,
+		0xab,0xc9,0x0a,0x68,0xf4,0x26,0x11,0xa4,0x01,0x26,0xd7,0xcb,0x21,0xb5,0x86,0x95,
+		0x56,0x81,0x86,0xf7,0xe5,0x69,0xd2,0xff,0x0f,0x9e,0x74,0x5d,0x04,0x87,0xdd,0x2e,
+		0xb9,0x97,0xca,0xfc,0x5a,0xbf,0x9d,0xd1,0x02,0xe6,0x2f,0xf6,0x6c,0xba,0x87),
+	  chunk_from_chars(
+		0xe3,0x01,0x34,0x5a,0x41,0xa3,0x9a,0x4d,0x72,0xff,0xf8,0xdf,0x69,0xc9,0x80,0x75,
+		0xa0,0xcc,0x08,0x2b,0x80,0x2f,0xc9,0xb2,0xb6,0xbc,0x50,0x3f,0x92,0x6b,0x65,0xbd,
+		0xdf,0x7f,0x4c,0x8f,0x1c,0xb4,0x9f,0x63,0x96,0xaf,0xc8,0xa7,0x0a,0xbe,0x6d,0x8a,
+		0xef,0x0d,0xb4,0x78,0xd4,0xc6,0xb2,0x97,0x00,0x76,0xc6,0xa0,0x48,0x4f,0xe7,0x6d,
+		0x76,0xb3,0xa9,0x76,0x25,0xd7,0x9f,0x1c,0xe2,0x40,0xe7,0xc5,0x76,0x75,0x0d,0x29,
+		0x55,0x28,0x28,0x6f,0x71,0x9b,0x41,0x3d,0xe9,0xad,0xa3,0xe8,0xeb,0x78,0xed,0x57,
+		0x36,0x03,0xce,0x30,0xd8,0xbb,0x76,0x17,0x85,0xdc,0x30,0xdb,0xc3,0x20,0x86,0x9e,
+		0x1a,0x00),
+	  chunk_from_chars(
+		0x89,0x30,0xb4,0x62,0xe0,0x28,0x45,0xf1,0x37,0xc0,0x0e,0x47,0xfe,0x64,0x3d,0x07,
+		0x02,0x7b,0x66,0xec),
+	  chunk_from_chars(
+		0xc1,0x6c,0x19,0x0e,0x3e,0xe9,0x2c,0x5e,0xd0,0x35,0x19,0x93,0x77,0x2c,0xd6,0x38,
+		0xf0,0xbc,0xe1,0x62),
+	},
+};
+
+START_TEST(test_ed448_sign)
+{
+	private_key_t *key;
+	public_key_t *pubkey, *public;
+	chunk_t sig, encoding, fp;
+
+	/* load private key */
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+							 BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END);
+	ck_assert(key != NULL);
+	ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding));
+	ck_assert_chunk_eq(encoding, sig_tests[_i].key);
+	chunk_free(&encoding);
+
+	ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+	ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
+	/* load public key */
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+								BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END);
+	ck_assert(pubkey != NULL);
+	ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding));
+	ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey);
+	chunk_free(&encoding);
+
+	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, &fp));
+	ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
+	/* compare public keys */
+	public = key->get_public_key(key);
+	ck_assert(public != NULL);
+	ck_assert(public->equals(public, pubkey));
+
+	/* sign */
+	ck_assert(key->sign(key, SIGN_ED448, NULL, sig_tests[_i].msg, &sig));
+	ck_assert_chunk_eq(sig, sig_tests[_i].sig);
+
+	/* verify */
+	ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[_i].msg,
+							 sig_tests[_i].sig));
+
+	/* cleanup */
+	key->destroy(key);
+	pubkey->destroy(pubkey);
+	public->destroy(public);
+	chunk_free(&sig);
+}
+END_TEST
+
+START_TEST(test_ed448_gen)
+{
+	private_key_t *key, *key2;
+	public_key_t *pubkey, *pubkey2;
+	chunk_t msg = chunk_from_str("Ed448"), sig, encoding, fp_priv, fp_pub;
+
+	/* generate private key */
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+							 BUILD_KEY_SIZE, 456, BUILD_END);
+	ck_assert(key != NULL);
+	ck_assert(key->get_type(key) == KEY_ED448);
+	ck_assert(key->get_keysize(key) == 456);
+	ck_assert(!key->get_encoding(key, PRIVKEY_PGP, &encoding));
+	ck_assert(key->get_encoding(key, PRIVKEY_PEM, &encoding));
+	ck_assert(encoding.ptr != NULL);
+	ck_assert(strstr(encoding.ptr, "PRIVATE KEY"));
+	chunk_free(&encoding);
+
+	/* clone private key */
+	key2 = key->get_ref(key);
+	ck_assert(key2);
+	key2->destroy(key2);
+
+	/* decryption not supported */
+	ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL));
+
+	/* wrong signature scheme */
+	ck_assert(!key->sign(key, SIGN_ED25519, NULL, msg, &sig));
+
+	/* correct signature scheme*/
+	ck_assert(key->sign(key, SIGN_ED448, NULL, msg, &sig));
+
+	/* export public key */
+	pubkey = key->get_public_key(key);
+	ck_assert(pubkey != NULL);
+	ck_assert(pubkey->get_type(pubkey) == KEY_ED448);
+	ck_assert(pubkey->get_keysize(pubkey) == 456);
+	ck_assert(pubkey->get_encoding(pubkey, PUBKEY_PEM, &encoding));
+	ck_assert(encoding.ptr != NULL);
+	ck_assert(strstr(encoding.ptr, "PUBLIC KEY"));
+	chunk_free(&encoding);
+
+	/* generate and compare public and private key fingerprints */
+	ck_assert(!key->get_fingerprint(key, KEYID_PGPV4, &fp_priv));
+	ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv));
+	ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv));
+	ck_assert(fp_priv.ptr != NULL);
+	ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp_pub));
+	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
+	ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
+	ck_assert(fp_pub.ptr != NULL);
+	ck_assert_chunk_eq(fp_pub, fp_priv);
+
+	/* clone public key */
+	pubkey2 = pubkey->get_ref(pubkey);
+	ck_assert(pubkey2 != NULL);
+	pubkey2->destroy(pubkey2);
+
+	/* encryption not supported */
+	ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL));
+
+	/* verify with wrong signature scheme */
+	ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig));
+
+	/* verify with correct signature scheme */
+	ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig));
+
+	/* cleanup */
+	key->destroy(key);
+	pubkey->destroy(pubkey);
+	chunk_free(&sig);
+}
+END_TEST
+
+START_TEST(test_ed448_speed)
+{
+	private_key_t *key;
+	public_key_t *pubkey;
+	chunk_t msg = chunk_from_str("Hello Ed448"), sig;
+	int i, count = 500;
+
+#ifdef HAVE_CLOCK_GETTIME
+	struct timespec start, stop;
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &start);
+#endif
+
+	for (i = 0; i < count; i++)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+								 BUILD_KEY_SIZE, 456, BUILD_END);
+		ck_assert(key != NULL);
+		ck_assert(key->sign(key, SIGN_ED448, NULL, msg, &sig));
+		pubkey = key->get_public_key(key);
+		ck_assert(pubkey != NULL);
+		ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig));
+		key->destroy(key);
+		pubkey->destroy(pubkey);
+		chunk_free(&sig);
+	}
+
+#ifdef HAVE_CLOCK_GETTIME
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &stop);
+	DBG0(DBG_LIB, "%d Ed448 keys and signatures in %d ms\n", count,
+				  (stop.tv_nsec - start.tv_nsec) / 1000000 +
+				  (stop.tv_sec - start.tv_sec) * 1000);
+#endif
+}
+END_TEST
+
+static chunk_t zero_pk = chunk_from_chars(
+	0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00);
+
+/* sig_tests[0].sig with s+L, note that only the 9 most significant bits are 0 */
+static chunk_t malleable_sig = chunk_from_chars(
+	0x53,0x3a,0x37,0xf6,0xbb,0xe4,0x57,0x25,0x1f,0x02,0x3c,0x0d,0x88,0xf9,0x76,0xae,
+	0x2d,0xfb,0x50,0x4a,0x84,0x3e,0x34,0xd2,0x07,0x4f,0xd8,0x23,0xd4,0x1a,0x59,0x1f,
+	0x2b,0x23,0x3f,0x03,0x4f,0x62,0x82,0x81,0xf2,0xfd,0x7a,0x22,0xdd,0xd4,0x7d,0x78,
+	0x28,0xc5,0x9b,0xd0,0xa2,0x1b,0xfd,0x39,0x80,0xf2,0x52,0x78,0xd3,0x66,0x74,0x03,
+	0xc1,0x4b,0xce,0xc5,0xf9,0xcf,0xde,0x99,0x55,0xeb,0xc8,0x33,0x3c,0x0a,0xe7,0x8f,
+	0xc8,0x6e,0x51,0x83,0x17,0xc5,0xc7,0xcd,0xda,0x85,0x30,0xa1,0x13,0xa0,0xf4,0xdb,
+	0xb6,0x11,0x49,0xf0,0x5a,0x73,0x63,0x26,0x8c,0x71,0xd9,0x58,0x08,0xff,0x2e,0x65,
+	0x66,0x00);
+
+START_TEST(test_ed448_fail)
+{
+	private_key_t *key;
+	public_key_t *pubkey;
+	chunk_t blob, sig;
+	uint8_t sig1[114];
+
+	/* Invalid private key format */
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+					BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END);
+	ck_assert(key == NULL);
+
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+					BUILD_EDDSA_PRIV_ASN1_DER, chunk_empty, BUILD_END);
+	ck_assert(key == NULL);
+
+	blob = chunk_from_chars(0x04, 0x01, 0x9d);
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+					BUILD_EDDSA_PRIV_ASN1_DER, blob, BUILD_END);
+	ck_assert(key == NULL);
+
+	/* Invalid public key format */
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+					BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END);
+	ck_assert(pubkey == NULL);
+
+	blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+							0x71, 0x03, 0x02, 0x00, 0xd7);
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+					BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	ck_assert(pubkey == NULL);
+
+	blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x00,
+							0x71, 0x03, 0x02, 0x00, 0xd7);
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+					BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	ck_assert(pubkey == NULL);
+
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+					BUILD_KEY_SIZE, 456, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	ck_assert(pubkey == NULL);
+
+	/* Invalid signature format */
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+					BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END);
+	ck_assert(pubkey != NULL);
+
+	ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, chunk_empty,
+							  chunk_empty));
+
+	/* RFC 8032, section 5.2.7 requires that 0 <= s < L to prevent signature
+	 * malleability.  Only a warning because OpenSSL is vulnerable to this. */
+	if (pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+					   malleable_sig))
+	{
+		warn("Ed448 signature verification is vulnerable to malleable "
+			 "signatures");
+	}
+
+	/* malformed signature */
+	sig = chunk_from_thing(sig1);
+	memcpy(sig1, sig_tests[0].sig.ptr, sig_tests[0].sig.len);
+	sig1[113] |= 0xFF;
+	ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+							  sig));
+
+	/* wrong signature */
+	memcpy(sig1, sig_tests[0].sig.ptr, sig_tests[0].sig.len);
+	sig1[0] = 0xe4;
+	ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+							  sig));
+
+	/* detect all-zeroes public key */
+	pubkey->destroy(pubkey);
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+					BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
+	ck_assert(pubkey != NULL);
+	ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+							  sig));
+	pubkey->destroy(pubkey);
+}
+END_TEST
+
+Suite *ed448_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ed448");
+
+	tc = tcase_create("ed448_sign");
+	tcase_add_loop_test(tc, test_ed448_sign, 0, countof(sig_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ed448_gen");
+	tcase_add_test(tc, test_ed448_gen);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ed448_fail");
+	tcase_add_test(tc, test_ed448_fail);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ed448_speed");
+	test_case_set_timeout(tc, 10);
+	tcase_add_test(tc, test_ed448_speed);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c
index e6dc7744a..a71fa0ce5 100644
--- a/src/libstrongswan/tests/suites/test_rsa.c
+++ b/src/libstrongswan/tests/suites/test_rsa.c
@@ -40,7 +40,7 @@ static signature_scheme_t schemes[] = {
 static rsa_pss_params_t default_pss_params = {
 	.hash = HASH_SHA256,
 	.mgf1_hash = HASH_SHA256,
-	.salt_len = RSA_PSS_SALT_LEN_DEFAULT,
+	.salt_len = HASH_SIZE_SHA256,
 };
 
 /**
diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c
index 38cb5803f..cbf1a2861 100644
--- a/src/libstrongswan/tests/suites/test_signature_params.c
+++ b/src/libstrongswan/tests/suites/test_signature_params.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -138,27 +138,27 @@ static struct {
 					   0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,
 					   0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03,
 					   0x02,0x01,0x20),
-		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }},
 	/* default salt length: SHA-1 */
 	{ chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00),
-		{ .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+		{ .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }},
 	/* default salt length: SHA-224 */
 	{ chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0,
 					   0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,0x05,0x00,
 					   0xa2,0x03,0x02,0x01,0x1c),
-		{ .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+		{ .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA224, }},
 	/* default salt length: SHA-384 */
 	{ chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0,
 					   0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00,
 					   0xa2,0x03,0x02,0x01,0x30),
-		{ .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+		{ .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA384, }},
 	/* SHA-512 */
 	{ chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0,
 					   0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,
 					   0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,
 					   0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03,
 					   0x02,0x01,0x40),
-	  { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+	  { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA512, }},
 	/* SHA-256, no salt */
 	{ chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0,
 					   0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,
@@ -199,6 +199,8 @@ rsa_pss_params_t rsa_pss_build_invalid_tests[] = {
 	{ .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, },
 	/* invalid mgf */
 	{ .hash = HASH_SHA256, .mgf1_hash = HASH_UNKNOWN, .salt_len = HASH_SIZE_SHA256, },
+	/* undetermined salt */
+	{ .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, },
 };
 
 START_TEST(test_rsa_pss_params_build_invalid)
@@ -209,6 +211,49 @@ START_TEST(test_rsa_pss_params_build_invalid)
 }
 END_TEST
 
+
+static struct {
+	ssize_t expected;
+	size_t modbits;
+	rsa_pss_params_t params;
+} rsa_pss_salt_len_tests[] = {
+	{ HASH_SIZE_SHA256, 0,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+	{ HASH_SIZE_SHA256, 3072,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+	{ -1, 0,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+	{ 0, 256,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+	{ 350, 3071,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+	{ 350, 3072,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+	{ 350, 3073,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+	{ 478, 4096,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+	{ 10, 0,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }},
+	{ 10, 3072,
+		{ .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }},
+};
+
+START_TEST(test_rsa_pss_params_set_salt_len)
+{
+	if (rsa_pss_params_set_salt_len(&rsa_pss_salt_len_tests[_i].params,
+									rsa_pss_salt_len_tests[_i].modbits))
+	{
+		ck_assert_int_eq(rsa_pss_salt_len_tests[_i].expected,
+						 rsa_pss_salt_len_tests[_i].params.salt_len);
+	}
+	else
+	{
+		ck_assert(rsa_pss_salt_len_tests[_i].expected < 0);
+	}
+}
+END_TEST
+
 static rsa_pss_params_t rsa_pss_params_sha1 = { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, };
 static rsa_pss_params_t rsa_pss_params_sha256 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, };
 static rsa_pss_params_t rsa_pss_params_sha256_mgf1 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA256, };
@@ -430,6 +475,10 @@ Suite *signature_params_suite_create()
 	tcase_add_loop_test(tc, test_rsa_pss_params_build_invalid, 0, countof(rsa_pss_build_invalid_tests));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("rsa/pss salt len");
+	tcase_add_loop_test(tc, test_rsa_pss_params_set_salt_len, 0, countof(rsa_pss_salt_len_tests));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("params compare");
 	tcase_add_loop_test(tc, test_params_compare, 0, countof(params_compare_tests));
 	tcase_add_test(tc, test_params_compare_null);
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 9fc38d480..26ff161a4 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -52,5 +52,6 @@ TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256)
 TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
 TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
 TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519)
+TEST_SUITE_DEPEND(ed448_suite_create, PRIVKEY_GEN, KEY_ED448)
 TEST_SUITE(signature_params_suite_create)
 
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
index e60cd8ad0..0dbe9dc80 100644
--- a/src/libstrongswan/utils/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -332,7 +332,7 @@ static inline bool chunk_equals_ptr(chunk_t *a, chunk_t *b)
 }
 
 /**
- * Increment a chunk, as it would reprensent a network order integer.
+ * Increment a chunk, as it would represent a network order integer.
  *
  * @param chunk			chunk to increment
  * @return				TRUE if an overflow occurred
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index efeb0f478..63b7453f3 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -582,6 +582,16 @@ static char *whitelist[] = {
 	"OPENSSL_init_crypto",
 	"CRYPTO_THREAD_lock_new",
 	"ERR_add_error_data",
+	"ERR_set_mark",
+	"ENGINE_load_builtin_engines",
+	"OPENSSL_load_builtin_modules",
+	"CONF_modules_load_file",
+	"CONF_module_add",
+	"RAND_DRBG_bytes",
+	"RAND_DRBG_generate",
+	"RAND_DRBG_get0_master",
+	"RAND_DRBG_get0_private",
+	"RAND_DRBG_get0_public",
 	/* OpenSSL libssl */
 	"SSL_COMP_get_compression_methods",
 	/* NSPR */
@@ -619,6 +629,7 @@ static char *whitelist[] = {
 	"botan_privkey_create_ecdsa",
 	"botan_privkey_create_ecdh",
 	"botan_privkey_load_ecdh",
+	"botan_privkey_load",
 };
 
 /**
@@ -673,7 +684,8 @@ static int print_traces(private_leak_detective_t *this,
 	int leaks = 0;
 	memory_header_t *hdr;
 	enumerator_t *enumerator;
-	hashtable_t *entries;
+	hashtable_t *entries, *ignored = NULL;
+	backtrace_t *bt;
 	struct {
 		/** associated backtrace */
 		backtrace_t *backtrace;
@@ -688,15 +700,32 @@ static int print_traces(private_leak_detective_t *this,
 
 	entries = hashtable_create((hashtable_hash_t)hash,
 							   (hashtable_equals_t)equals, 1024);
+	if (whitelisted)
+	{
+		ignored = hashtable_create((hashtable_hash_t)hash,
+								   (hashtable_equals_t)equals, 1024);
+	}
+
 	lock->lock(lock);
 	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 	{
-		if (whitelisted &&
-			hdr->backtrace->contains_function(hdr->backtrace,
-											  whitelist, countof(whitelist)))
+		if (whitelisted)
 		{
-			(*whitelisted)++;
-			continue;
+			bt = ignored->get(ignored, hdr->backtrace);
+			if (!bt)
+			{
+				if (hdr->backtrace->contains_function(hdr->backtrace, whitelist,
+													  countof(whitelist)))
+				{
+					bt = hdr->backtrace;
+					ignored->put(ignored, bt, bt);
+				}
+			}
+			if (bt)
+			{
+				(*whitelisted)++;
+				continue;
+			}
 		}
 		entry = entries->get(entries, hdr->backtrace);
 		if (entry)
@@ -720,6 +749,7 @@ static int print_traces(private_leak_detective_t *this,
 		leaks++;
 	}
 	lock->unlock(lock);
+	DESTROY_IF(ignored);
 
 	enumerator = entries->create_enumerator(entries);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c
index 3b7582ae3..d946fbe56 100644
--- a/src/libtpmtss/plugins/tpm/tpm_private_key.c
+++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2017 Andreas Steffen
+ * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2017-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -75,6 +76,12 @@ METHOD(private_key_t, get_keysize, int,
 	return this->pubkey->get_keysize(this->pubkey);
 }
 
+METHOD(private_key_t, supported_signature_schemes, enumerator_t*,
+	private_tpm_private_key_t *this)
+{
+	return this->tpm->supported_signature_schemes(this->tpm, this->handle);
+}
+
 METHOD(private_key_t, sign, bool,
 	private_tpm_private_key_t *this, signature_scheme_t scheme, void *params,
 	chunk_t data, chunk_t *signature)
@@ -201,6 +208,7 @@ tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args)
 				.sign = _sign,
 				.decrypt = _decrypt,
 				.get_keysize = _get_keysize,
+				.supported_signature_schemes = _supported_signature_schemes,
 				.get_public_key = _get_public_key,
 				.equals = private_key_equals,
 				.belongs_to = private_key_belongs_to,
diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h
index 11e4a7c15..aab7a4d6c 100644
--- a/src/libtpmtss/tpm_tss.h
+++ b/src/libtpmtss/tpm_tss.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2016-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -80,6 +81,15 @@ struct tpm_tss_t {
 	chunk_t (*get_public)(tpm_tss_t *this, uint32_t handle);
 
 	/**
+	 * Return signature schemes supported by the given key (TPM 2.0 only)
+	 *
+	 * @param handle		key object handle
+	 * @return				enumerator over signature_params_t*
+	 */
+	enumerator_t *(*supported_signature_schemes)(tpm_tss_t *this,
+												 uint32_t handle);
+
+	/**
 	 * Retrieve the current value of a PCR register in a given PCR bank
 	 *
 	 * @param pcr_num		PCR number
diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c
index 81e542d02..937373354 100644
--- a/src/libtpmtss/tpm_tss_trousers.c
+++ b/src/libtpmtss/tpm_tss_trousers.c
@@ -390,6 +390,12 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 	return aik_pubkey;
 }
 
+METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
+	private_tpm_tss_trousers_t *this, uint32_t handle)
+{
+	return enumerator_create_empty();
+}
+
 METHOD(tpm_tss_t, read_pcr, bool,
 	private_tpm_tss_trousers_t *this, uint32_t pcr_num, chunk_t *pcr_value,
 	hash_algorithm_t alg)
@@ -642,6 +648,7 @@ tpm_tss_t *tpm_tss_trousers_create()
 				.get_version_info = _get_version_info,
 				.generate_aik = _generate_aik,
 				.get_public = _get_public,
+				.supported_signature_schemes = _supported_signature_schemes,
 				.read_pcr = _read_pcr,
 				.extend_pcr = _extend_pcr,
 				.quote = _quote,
diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c
index 9ed2798f7..f904442ed 100644
--- a/src/libtpmtss/tpm_tss_tss2_v1.c
+++ b/src/libtpmtss/tpm_tss_tss2_v1.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
  * Copyright (C) 2016-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -24,9 +25,9 @@
 
 #include <tpm20.h>
 
-#ifdef TSS2_TCTI_TABRMD_V1
+#ifdef TSS2_TCTI_TABRMD
 #include <tcti/tcti-tabrmd.h>
-#endif /* TSS2_TCTI_TABRMD_V1 */
+#endif /* TSS2_TCTI_TABRMD */
 
 #ifdef TSS2_TCTI_SOCKET
 #include <tcti_socket.h>
@@ -68,6 +69,12 @@ struct private_tpm_tss_tss2_t {
 	 * List of supported algorithms
 	 */
 	TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET];
+
+	/**
+	 * Is TPM FIPS 186-4 compliant ?
+	 */
+	bool fips_186_4;
+
 };
 
 /**
@@ -153,6 +160,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
 	TPMS_TAGGED_PROPERTY tp;
 	TPMI_YES_NO more_data;
 	TPM_ALG_ID alg;
+	bool fips_140_2 = FALSE;
 	uint32_t rval, i, offset, revision = 0, year = 0;
 	size_t len = BUF_LEN;
 	char buf[BUF_LEN], manufacturer[5], vendor_string[17];
@@ -193,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
 				offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1);
 				htoun32(vendor_string + offset, tp.value);
 				break;
+			case TPM_PT_MODES:
+				if (tp.value & TPMA_MODES_FIPS_140_2)
+				{
+					this->fips_186_4 = fips_140_2 = TRUE;
+				}
+				break;
 			default:
 				break;
 		}
 	}
-	DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
-		 vendor_string, (float)revision/100, year);
+
+	if (!fips_140_2)
+	{
+		this->fips_186_4 = lib->settings->get_bool(lib->settings,
+					"%s.plugins.tpm.fips_186_4", FALSE, lib->ns);
+	}
+	DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL,
+		 manufacturer, vendor_string, (float)revision/100, year,
+		 fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : ""));
 
 	/* get supported algorithms */
 	rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS,
@@ -400,7 +421,7 @@ METHOD(tpm_tss_t, get_version_info, chunk_t,
 }
 
 /**
- * read the public key portion of a TSS 2.0 AIK key from NVRAM
+ * read the public key portion of a TSS 2.0 key from NVRAM
  */
 bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
 	TPM2B_PUBLIC *public)
@@ -450,9 +471,9 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 	}
 
 	aik_blob = chunk_create((u_char*)&public, sizeof(public));
-	DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob);
+	DBG3(DBG_LIB, "%s public key blob: %B", LABEL, &aik_blob);
 
-	/* convert TSS 2.0 AIK public key blot into PKCS#1 format */
+	/* convert TSS 2.0 public key blot into PKCS#1 format */
 	switch (public.t.publicArea.type)
 	{
 		case TPM_ALG_RSA:
@@ -469,12 +490,12 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 			aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size);
 			aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
 
-			/* subjectPublicKeyInfo encoding of AIK RSA key */
+			/* subjectPublicKeyInfo encoding of RSA public key */
 			if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
 					NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
 					CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
 			{
-				DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
+				DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of public key "
 							  "failed", LABEL);
 				return chunk_empty;
 			}
@@ -505,7 +526,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 			pos += ecc->x.t.size;
 			/* copy y coordinate of ECC point */
 			memcpy(pos, ecc->y.t.buffer, ecc->y.t.size);
-			/* subjectPublicKeyInfo encoding of AIK ECC key */
+			/* subjectPublicKeyInfo encoding of ECC public key */
 			aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm",
 							asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EC_PUBLICKEY),
@@ -515,14 +536,101 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 			break;
 		}
 		default:
-			DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL);
+			DBG1(DBG_PTS, "%s unsupported key type", LABEL);
 			return chunk_empty;
 	}
-	DBG1(DBG_PTS, "AIK signature algorithm is %N with %N hash",
+	DBG1(DBG_PTS, "signature algorithm is %N with %N hash",
 		 tpm_alg_id_names, sig_alg, tpm_alg_id_names, digest_alg);
 	return aik_pubkey;
 }
 
+METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
+	private_tpm_tss_tss2_t *this, uint32_t handle)
+{
+	TPM2B_PUBLIC public = { { 0, } };
+	hash_algorithm_t digest;
+	signature_params_t supported_scheme;
+
+	if (!read_public(this, handle, &public))
+	{
+		return enumerator_create_empty();
+	}
+
+	switch (public.t.publicArea.type)
+	{
+		case TPM_ALG_RSA:
+		{
+			TPMS_RSA_PARMS *rsa;
+			TPMT_RSA_SCHEME *scheme;
+
+			rsa = &public.t.publicArea.parameters.rsaDetail;
+			scheme = &rsa->scheme;
+			digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+			switch (scheme->scheme)
+			{
+				case TPM_ALG_RSAPSS:
+				{
+					ssize_t salt_len;
+
+					salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT :
+												  RSA_PSS_SALT_LEN_MAX;
+					rsa_pss_params_t pss_params = {
+						.hash = digest,
+						.mgf1_hash = digest,
+						.salt_len = salt_len,
+					};
+					supported_scheme = (signature_params_t){
+						.scheme = SIGN_RSA_EMSA_PSS,
+						.params = &pss_params,
+					};
+					if (!rsa_pss_params_set_salt_len(&pss_params, rsa->keyBits))
+					{
+						return enumerator_create_empty();
+					}
+					break;
+				}
+				case TPM_ALG_RSASSA:
+					supported_scheme = (signature_params_t){
+						.scheme = signature_scheme_from_oid(
+									hasher_signature_algorithm_to_oid(digest,
+																	  KEY_RSA)),
+					};
+					break;
+				default:
+					return enumerator_create_empty();
+			}
+			break;
+		}
+		case TPM_ALG_ECC:
+		{
+			TPMT_ECC_SCHEME *scheme;
+
+			scheme = &public.t.publicArea.parameters.eccDetail.scheme;
+			digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+			switch (scheme->scheme)
+			{
+				case TPM_ALG_ECDSA:
+					supported_scheme = (signature_params_t){
+						.scheme = signature_scheme_from_oid(
+									hasher_signature_algorithm_to_oid(digest,
+																	KEY_ECDSA)),
+					};
+					break;
+				default:
+					return enumerator_create_empty();
+			}
+			break;
+		}
+		default:
+			DBG1(DBG_PTS, "%s unsupported key type", LABEL);
+			return enumerator_create_empty();
+	}
+	return enumerator_create_single(signature_params_clone(&supported_scheme),
+									(void*)signature_params_destroy);
+}
+
 /**
  * Configure a PCR Selection assuming a maximum of 24 registers
  */
@@ -809,7 +917,7 @@ METHOD(tpm_tss_t, quote, bool,
 			DBG1(DBG_PTS, "%s unsupported %N signature algorithm",
 						   LABEL, tpm_alg_id_names, sig.sigAlg);
 			return FALSE;
-	};
+	}
 
 	DBG2(DBG_PTS, "PCR digest algorithm is %N", tpm_alg_id_names, hash_alg);
 	pcr_digest_alg = hash_alg_from_tpm_alg_id(hash_alg);
@@ -1036,7 +1144,7 @@ METHOD(tpm_tss_t, sign, bool,
 			DBG1(DBG_PTS, "%s unsupported %N signature scheme",
 						   LABEL, signature_scheme_names, scheme);
 			return FALSE;
-	};
+	}
 
 	return TRUE;
 }
@@ -1174,6 +1282,7 @@ tpm_tss_t *tpm_tss_tss2_create()
 			.get_version_info = _get_version_info,
 			.generate_aik = _generate_aik,
 			.get_public = _get_public,
+			.supported_signature_schemes = _supported_signature_schemes,
 			.read_pcr = _read_pcr,
 			.extend_pcr = _extend_pcr,
 			.quote = _quote,
diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c
index 7cb0d48a9..6bbbce238 100644
--- a/src/libtpmtss/tpm_tss_tss2_v2.c
+++ b/src/libtpmtss/tpm_tss_tss2_v2.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
  * Copyright (C) 2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -64,6 +65,12 @@ struct private_tpm_tss_tss2_t {
 	 * List of supported algorithms
 	 */
 	TPM2_ALG_ID supported_algs[TPM2_PT_ALGORITHM_SET];
+
+	/**
+	 * Is TPM FIPS 186-4 compliant ?
+	 */
+	bool fips_186_4;
+
 };
 
 /**
@@ -152,6 +159,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
 	TPMS_TAGGED_PROPERTY tp;
 	TPMI_YES_NO more_data;
 	TPM2_ALG_ID alg;
+	bool fips_140_2 = FALSE;
 	uint32_t rval, i, offset, revision = 0, year = 0;
 	size_t len = BUF_LEN;
 	char buf[BUF_LEN], manufacturer[5], vendor_string[17];
@@ -193,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
 				offset = 4 * (tp.property - TPM2_PT_VENDOR_STRING_1);
 				htoun32(vendor_string + offset, tp.value);
 				break;
+			case TPM2_PT_MODES:
+				if (tp.value & TPMA_MODES_FIPS_140_2)
+				{
+					this->fips_186_4 = fips_140_2 = TRUE;
+				}
+				break;
 			default:
 				break;
 		}
 	}
-	DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
-		 vendor_string, (float)revision/100, year);
+
+	if (!fips_140_2)
+	{
+		this->fips_186_4 = lib->settings->get_bool(lib->settings,
+					"%s.plugins.tpm.fips_186_4", FALSE, lib->ns);
+	}
+	DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL,
+		 manufacturer, vendor_string, (float)revision/100, year,
+		 fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : ""));
 
 	/* get supported algorithms */
 	rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM2_CAP_ALGS,
@@ -360,7 +381,7 @@ METHOD(tpm_tss_t, get_version_info, chunk_t,
 }
 
 /**
- * read the public key portion of a TSS 2.0 AIK key from NVRAM
+ * read the public key portion of a TSS 2.0 key from NVRAM
  */
 bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
 	TPM2B_PUBLIC *public)
@@ -404,9 +425,9 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 	}
 
 	aik_blob = chunk_create((u_char*)&public, sizeof(public));
-	DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob);
+	DBG3(DBG_LIB, "%s public key blob: %B", LABEL, &aik_blob);
 
-	/* convert TSS 2.0 AIK public key blot into PKCS#1 format */
+	/* convert TSS 2.0 public key blot into PKCS#1 format */
 	switch (public.publicArea.type)
 	{
 		case TPM2_ALG_RSA:
@@ -423,12 +444,12 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 			aik_modulus = chunk_create(rsa->buffer, rsa->size);
 			aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
 
-			/* subjectPublicKeyInfo encoding of AIK RSA key */
+			/* subjectPublicKeyInfo encoding of RSA public key */
 			if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
 					NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
 					CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
 			{
-				DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
+				DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of public key "
 							  "failed", LABEL);
 				return chunk_empty;
 			}
@@ -459,7 +480,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 			pos += ecc->x.size;
 			/* copy y coordinate of ECC point */
 			memcpy(pos, ecc->y.buffer, ecc->y.size);
-			/* subjectPublicKeyInfo encoding of AIK ECC key */
+			/* subjectPublicKeyInfo encoding of ECC public key */
 			aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm",
 							asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EC_PUBLICKEY),
@@ -469,14 +490,101 @@ METHOD(tpm_tss_t, get_public, chunk_t,
 			break;
 		}
 		default:
-			DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL);
+			DBG1(DBG_PTS, "%s unsupported key type", LABEL);
 			return chunk_empty;
 	}
-	DBG1(DBG_PTS, "AIK signature algorithm is %N with %N hash",
+	DBG1(DBG_PTS, "signature algorithm is %N with %N hash",
 		 tpm_alg_id_names, sig_alg, tpm_alg_id_names, digest_alg);
 	return aik_pubkey;
 }
 
+METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
+	private_tpm_tss_tss2_t *this, uint32_t handle)
+{
+	TPM2B_PUBLIC public = { 0, };
+	hash_algorithm_t digest;
+	signature_params_t supported_scheme;
+
+	if (!read_public(this, handle, &public))
+	{
+		return enumerator_create_empty();
+	}
+
+	switch (public.publicArea.type)
+	{
+		case TPM2_ALG_RSA:
+		{
+			TPMS_RSA_PARMS *rsa;
+			TPMT_RSA_SCHEME *scheme;
+
+			rsa = &public.publicArea.parameters.rsaDetail;
+			scheme = &rsa->scheme;
+			digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+			switch (scheme->scheme)
+			{
+				case TPM2_ALG_RSAPSS:
+				{
+					ssize_t salt_len;
+
+					salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT :
+												  RSA_PSS_SALT_LEN_MAX;
+					rsa_pss_params_t pss_params = {
+						.hash = digest,
+						.mgf1_hash = digest,
+						.salt_len = salt_len,
+					};
+					supported_scheme = (signature_params_t){
+						.scheme = SIGN_RSA_EMSA_PSS,
+						.params = &pss_params,
+					};
+					if (!rsa_pss_params_set_salt_len(&pss_params, rsa->keyBits))
+					{
+						return enumerator_create_empty();
+					}
+					break;
+				}
+				case TPM2_ALG_RSASSA:
+					supported_scheme = (signature_params_t){
+						.scheme = signature_scheme_from_oid(
+									hasher_signature_algorithm_to_oid(digest,
+																	  KEY_RSA)),
+					};
+					break;
+				default:
+					return enumerator_create_empty();
+			}
+			break;
+		}
+		case TPM2_ALG_ECC:
+		{
+			TPMT_ECC_SCHEME *scheme;
+
+			scheme = &public.publicArea.parameters.eccDetail.scheme;
+			digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+			switch (scheme->scheme)
+			{
+				case TPM2_ALG_ECDSA:
+					supported_scheme = (signature_params_t){
+						.scheme = signature_scheme_from_oid(
+									hasher_signature_algorithm_to_oid(digest,
+																	KEY_ECDSA)),
+					};
+					break;
+				default:
+					return enumerator_create_empty();
+			}
+			break;
+		}
+		default:
+			DBG1(DBG_PTS, "%s unsupported key type", LABEL);
+			return enumerator_create_empty();
+	}
+	return enumerator_create_single(signature_params_clone(&supported_scheme),
+									(void*)signature_params_destroy);
+}
+
 /**
  * Configure a PCR Selection assuming a maximum of 24 registers
  */
@@ -729,7 +837,7 @@ METHOD(tpm_tss_t, quote, bool,
 			DBG1(DBG_PTS, "%s unsupported %N signature algorithm",
 						   LABEL, tpm_alg_id_names, sig.sigAlg);
 			return FALSE;
-	};
+	}
 
 	DBG2(DBG_PTS, "PCR digest algorithm is %N", tpm_alg_id_names, hash_alg);
 	pcr_digest_alg = hash_alg_from_tpm_alg_id(hash_alg);
@@ -940,7 +1048,7 @@ METHOD(tpm_tss_t, sign, bool,
 			DBG1(DBG_PTS, "%s unsupported %N signature scheme",
 						   LABEL, signature_scheme_names, scheme);
 			return FALSE;
-	};
+	}
 
 	return TRUE;
 }
@@ -1061,6 +1169,7 @@ tpm_tss_t *tpm_tss_tss2_create()
 			.get_version_info = _get_version_info,
 			.generate_aik = _generate_aik,
 			.get_public = _get_public,
+			.supported_signature_schemes = _supported_signature_schemes,
 			.read_pcr = _read_pcr,
 			.extend_pcr = _extend_pcr,
 			.quote = _quote,
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index d1ea5c65e..4cbe06c9e 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -228,6 +228,11 @@ static int acert()
 		goto end;
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}
 
 	ac = lib->creds->create(lib->creds,
 							CRED_CERTIFICATE, CERT_X509_AC,
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 1ccbca89f..b117fa171 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -536,6 +536,11 @@ static int issue()
 										chunk_from_chars(ASN1_SEQUENCE, 0));
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index cfddbc455..8f5380a4a 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -168,6 +168,11 @@ static int req()
 		goto end;
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
 							  BUILD_SIGNING_KEY, private,
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6f7adef0f..a08ee9931 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -378,6 +378,11 @@ static int self()
 		rng->destroy(rng);
 	}
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto end;
+	}
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index ca208a5cf..a399d21be 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -399,6 +399,12 @@ static int sign_crl()
 	chunk_increment(crl_serial);
 
 	scheme = get_signature_scheme(private, digest, pss);
+	if (!scheme)
+	{
+		error = "no signature scheme found";
+		goto error;
+	}
+
 	enumerator = enumerator_create_filter(list->create_enumerator(list),
 										  filter, NULL, NULL);
 	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
diff --git a/src/pki/pki.c b/src/pki/pki.c
index ec60f7d42..d03e96f9b 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private)
 signature_params_t *get_signature_scheme(private_key_t *private,
 										 hash_algorithm_t digest, bool pss)
 {
-	signature_params_t *scheme;
+	signature_params_t *scheme, *selected = NULL;
+	enumerator_t *enumerator;
+
+	if (private->supported_signature_schemes)
+	{
+		enumerator = private->supported_signature_schemes(private);
+		while (enumerator->enumerate(enumerator, &scheme))
+		{
+			if (private->get_type(private) == KEY_RSA &&
+				pss != (scheme->scheme == SIGN_RSA_EMSA_PSS))
+			{
+				continue;
+			}
+			if (digest == HASH_UNKNOWN ||
+				digest == hasher_from_signature_scheme(scheme->scheme,
+													   scheme->params))
+			{
+				selected = signature_params_clone(scheme);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		return selected;
+	}
 
 	if (digest == HASH_UNKNOWN)
 	{
@@ -281,6 +304,7 @@ signature_params_t *get_signature_scheme(private_key_t *private,
 			.scheme = SIGN_RSA_EMSA_PSS,
 			.params = &pss_params,
 		};
+		rsa_pss_params_set_salt_len(&pss_params, 0);
 		scheme = signature_params_clone(&pss_scheme);
 	}
 	else
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 3f0793cfd..3976c33b7 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
  * @param digest	hash algorithm (if HASH_UNKNOWN a default is determined
  *					based on the key)
  * @param pss		use PSS padding for RSA keys
- * @return			allocated signature scheme and parameters
+ * @return			allocated signature scheme and parameters (NULL if none
+ *					found)
  */
 signature_params_t *get_signature_scheme(private_key_t *private,
 										 hash_algorithm_t digest, bool pss);
diff --git a/src/pool/pool.c b/src/pool/pool.c
index b755365ec..ba1889dd8 100644
--- a/src/pool/pool.c
+++ b/src/pool/pool.c
@@ -710,7 +710,6 @@ static enumerator_t *create_lease_query(char *filter, array_t **to_free)
 			default:
 				fprintf(stderr, "invalid filter string.\n");
 				exit(EXIT_FAILURE);
-				break;
 		}
 	}
 	query = db->query(db,
@@ -1142,7 +1141,6 @@ static void do_args(int argc, char *argv[])
 			default:
 				usage();
 				exit(EXIT_FAILURE);
-				break;
 		}
 		break;
 	}
diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in
index 3e14cbe37..6bd3c642e 100644
--- a/src/pt-tls-client/pt-tls-client.1.in
+++ b/src/pt-tls-client/pt-tls-client.1.in
@@ -1,4 +1,4 @@
-.TH PT-TLS-CLIENT 1 "2017-07-15" "@PACKAGE_VERSION@" "strongSwan"
+.TH PT-TLS-CLIENT 1 "2018-11-20" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -9,7 +9,7 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
 .SY "pt-tls-client"
 .BI \-\-connect
 .IR hostname |\fIaddress
-.OP \-\-port hex
+.OP \-\-port port
 .RB [ \-\-certid
 .IR hex |\fB\-\-cert
 .IR file ]+
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 83079f3d8..754393455 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -455,6 +455,7 @@ int main(int argc, char **argv)
 
 	/* distinguished name for requested certificate, ASCII format */
 	char *distinguishedName = NULL;
+	char default_distinguished_name[BUF_LEN];
 
 	/* challenge password */
 	char challenge_password_buffer[MAX_PASSWORD_LENGTH];
@@ -1105,16 +1106,16 @@ int main(int argc, char **argv)
 	{
 		if (distinguishedName == NULL)
 		{
-			char buf[BUF_LEN];
-			int n = sprintf(buf, DEFAULT_DN);
+			int n = sprintf(default_distinguished_name, DEFAULT_DN);
 
 			/* set the common name to the hostname */
-			if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
+			if (gethostname(default_distinguished_name + n, BUF_LEN - n) ||
+				strlen(default_distinguished_name) == n)
 			{
 				exit_scepclient("no hostname defined, use "
 								"--dn <distinguished name> option");
 			}
-			distinguishedName = buf;
+			distinguishedName = default_distinguished_name;
 		}
 
 		DBG2(DBG_APP, "dn: '%s'", distinguishedName);
diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh
index ca7b89841..16e561459 100755
--- a/src/sec-updater/sec-updater.sh
+++ b/src/sec-updater/sec-updater.sh
@@ -4,11 +4,11 @@ DIR="/etc/pts"
 DISTS_DIR="$DIR/dists"
 DATE=`date +%Y%m%d-%H%M`
 UBUNTU="http://security.ubuntu.com/ubuntu"
-UBUNTU_VERSIONS="xenial"
+UBUNTU_VERSIONS="bionic xenial"
 UBUNTU_DIRS="main multiverse restricted universe"
 UBUNTU_ARCH="binary-amd64"
 DEBIAN="http://security.debian.org"
-DEBIAN_VERSIONS="jessie wheezy"
+DEBIAN_VERSIONS="stretch jessie wheezy"
 DEBIAN_DIRS="main contrib non-free"
 DEBIAN_ARCH="binary-amd64 binary-armhf"
 RASPIAN="http://archive.raspberrypi.org/debian"
@@ -48,8 +48,14 @@ do
     mkdir -p $v-updates/$a
     for d in $DEBIAN_DIRS
     do
-      wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
-      bunzip2 -f $v-updates/$a/Packages-$d.bz2
+      if [ $v = "stretch" ]
+      then
+        wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.xz  -O $v-updates/$a/Packages-$d.xz
+        unxz -f $v-updates/$a/Packages-$d.xz
+      else
+        wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
+        bunzip2 -f $v-updates/$a/Packages-$d.bz2
+      fi
     done
   done
 done
@@ -71,6 +77,28 @@ done
 
 # Run sec-updater in distribution information
 
+for f in bionic-security/binary-amd64/*
+do
+  echo "security: $f"
+  $CMD --os "Ubuntu 18.04" --arch "x86_64" --file $f --security \
+       --uri $UBUNTU >> $CMD_LOG 2>&1
+  if [ $? -eq 0 ]
+  then
+    DEL_LOG=0
+  fi
+done
+
+for f in bionic-updates/binary-amd64/*
+do
+  echo "updates:  $f"
+  $CMD --os "Ubuntu 18.04" --arch "x86_64" --file $f \
+       --uri $UBUNTU >> $CMD_LOG 2>&1
+  if [ $? -eq 0 ]
+  then
+    DEL_LOG=0
+  fi
+done
+
 for f in xenial-security/binary-amd64/*
 do
   echo "security: $f"
@@ -93,6 +121,17 @@ do
   fi
 done
 
+for f in stretch-updates/binary-amd64/*
+do
+  echo "security: $f"
+  $CMD --os "Debian 9.0" --arch "x86_64" --file $f --security \
+       --uri $DEBIAN >> $CMD_LOG 2>&1
+  if [ $? -eq 0 ]
+  then
+    DEL_LOG=0
+  fi
+done
+
 for f in jessie-updates/binary-amd64/*
 do
   echo "security: $f"
@@ -115,6 +154,17 @@ do
   fi
 done
 
+for f in stretch-updates/binary-armhf/*
+do
+  echo "security: $f"
+  $CMD --os "Debian 9.0" --arch "armhf" --file $f --security \
+       --uri $DEBIAN >> $CMD_LOG 2>&1
+  if [ $? -eq 0 ]
+  then
+    DEL_LOG=0
+  fi
+done
+
 for f in jessie-updates/binary-armhf/*
 do
   echo "security: $f"
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index a8f50169a..f4da67e8a 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,4 +1,4 @@
-/* C code produced by gperf version 3.0.4 */
+/* ANSI-C code produced by gperf version 3.1 */
 /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t  */
 /* Computed positions: -k'2-3,6,$' */
 
@@ -26,7 +26,7 @@
       && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
       && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
 /* The character set is not based on ISO-646.  */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gperf@gnu.org>."
 #endif
 
 
@@ -70,9 +70,7 @@ inline
 #endif
 #endif
 static unsigned int
-hash (str, len)
-     register const char *str;
-     register unsigned int len;
+hash (register const char *str, register size_t len)
 {
   static const unsigned short asso_values[] =
     {
@@ -103,7 +101,7 @@ hash (str, len)
       258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
       258, 258, 258, 258, 258, 258
     };
-  register int hval = len;
+  register unsigned int hval = len;
 
   switch (hval)
     {
@@ -296,22 +294,14 @@ static const short lookup[] =
     138,  -1,  -1,  -1,  -1,  -1,  -1, 139
   };
 
-#ifdef __GNUC__
-__inline
-#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
 const struct kw_entry *
-in_word_set (str, len)
-     register const char *str;
-     register unsigned int len;
+in_word_set (register const char *str, register size_t len)
 {
   if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
     {
-      register int key = hash (str, len);
+      register unsigned int key = hash (str, len);
 
-      if (key <= MAX_HASH_VALUE && key >= 0)
+      if (key <= MAX_HASH_VALUE)
         {
           register int index = lookup[key];
 
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index d017134d9..c987f187d 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -197,7 +197,7 @@ struct kw_entry_t {
 };
 
 #ifndef IN_GPERF_GENERATED_FILE
-const kw_entry_t *in_word_set(register const char*, register unsigned);
+const kw_entry_t *in_word_set(register const char*, register size_t);
 #endif
 
 #endif /* _KEYWORDS_H_ */
diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c
index ff7c75bb7..9fb25e1ee 100644
--- a/src/starter/parser/lexer.c
+++ b/src/starter/parser/lexer.c
@@ -7,7 +7,6 @@
 /* A lexical scanner generated by flex */
 
 /* %not-for-header */
-
 /* %if-c-only */
 /* %if-not-reentrant */
 /* %endif */
@@ -17,7 +16,7 @@
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 6
-#define YY_FLEX_SUBMINOR_VERSION 0
+#define YY_FLEX_SUBMINOR_VERSION 4
 #if YY_FLEX_SUBMINOR_VERSION > 0
 #define FLEX_BETA
 #endif
@@ -26,9 +25,230 @@
 /* %endif */
 
 /* %if-c-only */
-    
+#ifdef yy_create_buffer
+#define conf_parser__create_buffer_ALREADY_DEFINED
+#else
+#define yy_create_buffer conf_parser__create_buffer
+#endif
+
+#ifdef yy_delete_buffer
+#define conf_parser__delete_buffer_ALREADY_DEFINED
+#else
+#define yy_delete_buffer conf_parser__delete_buffer
+#endif
+
+#ifdef yy_scan_buffer
+#define conf_parser__scan_buffer_ALREADY_DEFINED
+#else
+#define yy_scan_buffer conf_parser__scan_buffer
+#endif
+
+#ifdef yy_scan_string
+#define conf_parser__scan_string_ALREADY_DEFINED
+#else
+#define yy_scan_string conf_parser__scan_string
+#endif
+
+#ifdef yy_scan_bytes
+#define conf_parser__scan_bytes_ALREADY_DEFINED
+#else
+#define yy_scan_bytes conf_parser__scan_bytes
+#endif
+
+#ifdef yy_init_buffer
+#define conf_parser__init_buffer_ALREADY_DEFINED
+#else
+#define yy_init_buffer conf_parser__init_buffer
+#endif
+
+#ifdef yy_flush_buffer
+#define conf_parser__flush_buffer_ALREADY_DEFINED
+#else
+#define yy_flush_buffer conf_parser__flush_buffer
+#endif
+
+#ifdef yy_load_buffer_state
+#define conf_parser__load_buffer_state_ALREADY_DEFINED
+#else
+#define yy_load_buffer_state conf_parser__load_buffer_state
+#endif
+
+#ifdef yy_switch_to_buffer
+#define conf_parser__switch_to_buffer_ALREADY_DEFINED
+#else
+#define yy_switch_to_buffer conf_parser__switch_to_buffer
+#endif
+
+#ifdef yypush_buffer_state
+#define conf_parser_push_buffer_state_ALREADY_DEFINED
+#else
+#define yypush_buffer_state conf_parser_push_buffer_state
+#endif
+
+#ifdef yypop_buffer_state
+#define conf_parser_pop_buffer_state_ALREADY_DEFINED
+#else
+#define yypop_buffer_state conf_parser_pop_buffer_state
+#endif
+
+#ifdef yyensure_buffer_stack
+#define conf_parser_ensure_buffer_stack_ALREADY_DEFINED
+#else
+#define yyensure_buffer_stack conf_parser_ensure_buffer_stack
+#endif
+
+#ifdef yylex
+#define conf_parser_lex_ALREADY_DEFINED
+#else
+#define yylex conf_parser_lex
+#endif
+
+#ifdef yyrestart
+#define conf_parser_restart_ALREADY_DEFINED
+#else
+#define yyrestart conf_parser_restart
+#endif
+
+#ifdef yylex_init
+#define conf_parser_lex_init_ALREADY_DEFINED
+#else
+#define yylex_init conf_parser_lex_init
+#endif
+
+#ifdef yylex_init_extra
+#define conf_parser_lex_init_extra_ALREADY_DEFINED
+#else
+#define yylex_init_extra conf_parser_lex_init_extra
+#endif
+
+#ifdef yylex_destroy
+#define conf_parser_lex_destroy_ALREADY_DEFINED
+#else
+#define yylex_destroy conf_parser_lex_destroy
+#endif
+
+#ifdef yyget_debug
+#define conf_parser_get_debug_ALREADY_DEFINED
+#else
+#define yyget_debug conf_parser_get_debug
+#endif
+
+#ifdef yyset_debug
+#define conf_parser_set_debug_ALREADY_DEFINED
+#else
+#define yyset_debug conf_parser_set_debug
+#endif
+
+#ifdef yyget_extra
+#define conf_parser_get_extra_ALREADY_DEFINED
+#else
+#define yyget_extra conf_parser_get_extra
+#endif
+
+#ifdef yyset_extra
+#define conf_parser_set_extra_ALREADY_DEFINED
+#else
+#define yyset_extra conf_parser_set_extra
+#endif
+
+#ifdef yyget_in
+#define conf_parser_get_in_ALREADY_DEFINED
+#else
+#define yyget_in conf_parser_get_in
+#endif
+
+#ifdef yyset_in
+#define conf_parser_set_in_ALREADY_DEFINED
+#else
+#define yyset_in conf_parser_set_in
+#endif
+
+#ifdef yyget_out
+#define conf_parser_get_out_ALREADY_DEFINED
+#else
+#define yyget_out conf_parser_get_out
+#endif
+
+#ifdef yyset_out
+#define conf_parser_set_out_ALREADY_DEFINED
+#else
+#define yyset_out conf_parser_set_out
+#endif
+
+#ifdef yyget_leng
+#define conf_parser_get_leng_ALREADY_DEFINED
+#else
+#define yyget_leng conf_parser_get_leng
+#endif
+
+#ifdef yyget_text
+#define conf_parser_get_text_ALREADY_DEFINED
+#else
+#define yyget_text conf_parser_get_text
+#endif
+
+#ifdef yyget_lineno
+#define conf_parser_get_lineno_ALREADY_DEFINED
+#else
+#define yyget_lineno conf_parser_get_lineno
+#endif
+
+#ifdef yyset_lineno
+#define conf_parser_set_lineno_ALREADY_DEFINED
+#else
+#define yyset_lineno conf_parser_set_lineno
+#endif
+
+#ifdef yyget_column
+#define conf_parser_get_column_ALREADY_DEFINED
+#else
+#define yyget_column conf_parser_get_column
+#endif
+
+#ifdef yyset_column
+#define conf_parser_set_column_ALREADY_DEFINED
+#else
+#define yyset_column conf_parser_set_column
+#endif
+
+#ifdef yywrap
+#define conf_parser_wrap_ALREADY_DEFINED
+#else
+#define yywrap conf_parser_wrap
+#endif
+
 /* %endif */
 
+#ifdef yyget_lval
+#define conf_parser_get_lval_ALREADY_DEFINED
+#else
+#define yyget_lval conf_parser_get_lval
+#endif
+
+#ifdef yyset_lval
+#define conf_parser_set_lval_ALREADY_DEFINED
+#else
+#define yyset_lval conf_parser_set_lval
+#endif
+
+#ifdef yyalloc
+#define conf_parser_alloc_ALREADY_DEFINED
+#else
+#define yyalloc conf_parser_alloc
+#endif
+
+#ifdef yyrealloc
+#define conf_parser_realloc_ALREADY_DEFINED
+#else
+#define yyrealloc conf_parser_realloc
+#endif
+
+#ifdef yyfree
+#define conf_parser_free_ALREADY_DEFINED
+#else
+#define yyfree conf_parser_free
+#endif
+
 /* %if-c-only */
 
 /* %endif */
@@ -108,50 +328,39 @@ typedef unsigned int flex_uint32_t;
 #define UINT32_MAX             (4294967295U)
 #endif
 
+#ifndef SIZE_MAX
+#define SIZE_MAX               (~(size_t)0)
+#endif
+
 #endif /* ! C99 */
 
 #endif /* ! FLEXINT_H */
 
 /* %endif */
 
+/* begin standard C++ headers. */
 /* %if-c++-only */
 /* %endif */
 
-#ifdef __cplusplus
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else	/* ! __cplusplus */
-
-/* C99 requires __STDC__ to be defined as 1. */
-#if defined (__STDC__)
-
-#define YY_USE_CONST
-
-#endif	/* defined (__STDC__) */
-#endif	/* ! __cplusplus */
-
-#ifdef YY_USE_CONST
+/* TODO: this is always defined, so inline it */
 #define yyconst const
+
+#if defined(__GNUC__) && __GNUC__ >= 3
+#define yynoreturn __attribute__((__noreturn__))
 #else
-#define yyconst
+#define yynoreturn
 #endif
 
 /* %not-for-header */
-
 /* Returned upon end-of-file. */
 #define YY_NULL 0
 /* %ok-for-header */
 
 /* %not-for-header */
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index.  If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
+/* Promotes a possibly negative, possibly signed char to an
+ *   integer in range [0..255] for use as an array index.
  */
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+#define YY_SC_TO_UI(c) ((YY_CHAR) (c))
 /* %ok-for-header */
 
 /* %if-reentrant */
@@ -183,20 +392,16 @@ typedef void* yyscan_t;
  * definition of BEGIN.
  */
 #define BEGIN yyg->yy_start = 1 + 2 *
-
 /* Translate the current start state into a value that can be later handed
  * to BEGIN to return to the state.  The YYSTATE alias is for lex
  * compatibility.
  */
 #define YY_START ((yyg->yy_start - 1) / 2)
 #define YYSTATE YY_START
-
 /* Action number for EOF rule of a given start state. */
 #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
 /* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE conf_parser_restart(yyin ,yyscanner )
-
+#define YY_NEW_FILE yyrestart( yyin , yyscanner )
 #define YY_END_OF_BUFFER_CHAR 0
 
 /* Size of default input buffer. */
@@ -237,10 +442,10 @@ typedef size_t yy_size_t;
 #define EOB_ACT_CONTINUE_SCAN 0
 #define EOB_ACT_END_OF_FILE 1
 #define EOB_ACT_LAST_MATCH 2
-
+    
     /* Note: We specifically omit the test for yy_rule_can_match_eol because it requires
      *       access to the local variable yy_act. Since yyless() is a macro, it would break
-     *       existing scanners that call yyless() from OUTSIDE conf_parser_lex. 
+     *       existing scanners that call yyless() from OUTSIDE yylex.
      *       One obvious solution it to make yy_act a global. I tried that, and saw
      *       a 5% performance hit in a non-yylineno scanner, because yy_act is
      *       normally declared as a register variable-- so it is not worth it.
@@ -273,7 +478,6 @@ typedef size_t yy_size_t;
 		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
 		} \
 	while ( 0 )
-
 #define unput(c) yyunput( c, yyg->yytext_ptr , yyscanner )
 
 #ifndef YY_STRUCT_YY_BUFFER_STATE
@@ -293,7 +497,7 @@ struct yy_buffer_state
 	/* Size of input buffer in bytes, not including room for EOB
 	 * characters.
 	 */
-	yy_size_t yy_buf_size;
+	int yy_buf_size;
 
 	/* Number of characters read into yy_ch_buf, not including EOB
 	 * characters.
@@ -321,7 +525,7 @@ struct yy_buffer_state
 
     int yy_bs_lineno; /**< The line count. */
     int yy_bs_column; /**< The column count. */
-    
+
 	/* Whether to try to fill the input buffer when we reach the
 	 * end of it.
 	 */
@@ -338,7 +542,7 @@ struct yy_buffer_state
 	 * possible backing-up.
 	 *
 	 * When we actually see the EOF, we change the status to "new"
-	 * (via conf_parser_restart()), so that the user can continue scanning by
+	 * (via yyrestart()), so that the user can continue scanning by
 	 * just pointing yyin at a new input file.
 	 */
 #define YY_BUFFER_EOF_PENDING 2
@@ -348,7 +552,6 @@ struct yy_buffer_state
 
 /* %if-c-only Standard (non-C++) definition */
 /* %not-for-header */
-
 /* %if-not-reentrant */
 /* %endif */
 /* %ok-for-header */
@@ -364,7 +567,6 @@ struct yy_buffer_state
 #define YY_CURRENT_BUFFER ( yyg->yy_buffer_stack \
                           ? yyg->yy_buffer_stack[yyg->yy_buffer_stack_top] \
                           : NULL)
-
 /* Same as previous macro, but useful when we know that the buffer stack is not
  * NULL or when we need an lvalue. For internal use only.
  */
@@ -374,57 +576,52 @@ struct yy_buffer_state
 
 /* %if-not-reentrant */
 /* %not-for-header */
-
 /* %ok-for-header */
 
 /* %endif */
 
-void conf_parser_restart (FILE *input_file ,yyscan_t yyscanner );
-void conf_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-YY_BUFFER_STATE conf_parser__create_buffer (FILE *file,int size ,yyscan_t yyscanner );
-void conf_parser__delete_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void conf_parser__flush_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-void conf_parser_pop_buffer_state (yyscan_t yyscanner );
-
-static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner );
-static void conf_parser__load_buffer_state (yyscan_t yyscanner );
-static void conf_parser__init_buffer (YY_BUFFER_STATE b,FILE *file ,yyscan_t yyscanner );
+void yyrestart ( FILE *input_file , yyscan_t yyscanner );
+void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size , yyscan_t yyscanner );
+void yy_delete_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yy_flush_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yypush_buffer_state ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+void yypop_buffer_state ( yyscan_t yyscanner );
 
-#define YY_FLUSH_BUFFER conf_parser__flush_buffer(YY_CURRENT_BUFFER ,yyscanner)
+static void yyensure_buffer_stack ( yyscan_t yyscanner );
+static void yy_load_buffer_state ( yyscan_t yyscanner );
+static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file , yyscan_t yyscanner );
+#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER , yyscanner)
 
-YY_BUFFER_STATE conf_parser__scan_buffer (char *base,yy_size_t size ,yyscan_t yyscanner );
-YY_BUFFER_STATE conf_parser__scan_string (yyconst char *yy_str ,yyscan_t yyscanner );
-YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char *bytes,yy_size_t len ,yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_string ( const char *yy_str , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len , yyscan_t yyscanner );
 
 /* %endif */
 
-void *conf_parser_alloc (yy_size_t ,yyscan_t yyscanner );
-void *conf_parser_realloc (void *,yy_size_t ,yyscan_t yyscanner );
-void conf_parser_free (void * ,yyscan_t yyscanner );
-
-#define yy_new_buffer conf_parser__create_buffer
+void *yyalloc ( yy_size_t , yyscan_t yyscanner );
+void *yyrealloc ( void *, yy_size_t , yyscan_t yyscanner );
+void yyfree ( void * , yyscan_t yyscanner );
 
+#define yy_new_buffer yy_create_buffer
 #define yy_set_interactive(is_interactive) \
 	{ \
 	if ( ! YY_CURRENT_BUFFER ){ \
-        conf_parser_ensure_buffer_stack (yyscanner); \
+        yyensure_buffer_stack (yyscanner); \
 		YY_CURRENT_BUFFER_LVALUE =    \
-            conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+            yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
 	} \
 	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
 	}
-
 #define yy_set_bol(at_bol) \
 	{ \
 	if ( ! YY_CURRENT_BUFFER ){\
-        conf_parser_ensure_buffer_stack (yyscanner); \
+        yyensure_buffer_stack (yyscanner); \
 		YY_CURRENT_BUFFER_LVALUE =    \
-            conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+            yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
 	} \
 	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
 	}
-
 #define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
 
 /* %% [1.0] yytext/yyin/yyout/yy_state_type/yylineno etc. def's & init go here */
@@ -434,8 +631,7 @@ void conf_parser_free (void * ,yyscan_t yyscanner );
 #define YY_SKIP_YYWRAP
 
 #define FLEX_DEBUG
-
-typedef unsigned char YY_CHAR;
+typedef flex_uint8_t YY_CHAR;
 
 typedef int yy_state_type;
 
@@ -445,13 +641,10 @@ typedef int yy_state_type;
 
 /* %if-c-only Standard (non-C++) definition */
 
-static yy_state_type yy_get_previous_state (yyscan_t yyscanner );
-static yy_state_type yy_try_NUL_trans (yy_state_type current_state  ,yyscan_t yyscanner);
-static int yy_get_next_buffer (yyscan_t yyscanner );
-#if defined(__GNUC__) && __GNUC__ >= 3
-__attribute__((__noreturn__))
-#endif
-static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
+static yy_state_type yy_get_previous_state ( yyscan_t yyscanner );
+static yy_state_type yy_try_NUL_trans ( yy_state_type current_state  , yyscan_t yyscanner);
+static int yy_get_next_buffer ( yyscan_t yyscanner );
+static void yynoreturn yy_fatal_error ( const char* msg , yyscan_t yyscanner );
 
 /* %endif */
 
@@ -461,12 +654,11 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
 #define YY_DO_BEFORE_ACTION \
 	yyg->yytext_ptr = yy_bp; \
 /* %% [2.0] code to fiddle yytext and yyleng for yymore() goes here \ */\
-	yyleng = (size_t) (yy_cp - yy_bp); \
+	yyleng = (int) (yy_cp - yy_bp); \
 	yyg->yy_hold_char = *yy_cp; \
 	*yy_cp = '\0'; \
 /* %% [3.0] code to copy yytext_ptr to yytext[] goes here, if %array \ */\
 	yyg->yy_c_buf_p = yy_cp;
-
 /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
 #define YY_NUM_RULES 26
 #define YY_END_OF_BUFFER 27
@@ -477,7 +669,7 @@ struct yy_trans_info
 	flex_int32_t yy_verify;
 	flex_int32_t yy_nxt;
 	};
-static yyconst flex_int16_t yy_accept[80] =
+static const flex_int16_t yy_accept[80] =
     {   0,
         0,    0,    0,    0,    0,    0,   27,   12,    3,    5,
        11,    4,    6,   12,   12,    2,   12,   12,   17,   13,
@@ -489,7 +681,7 @@ static yyconst flex_int16_t yy_accept[80] =
         0,    1,   10,   10,    0,    0,    0,    7,    0
     } ;
 
-static yyconst YY_CHAR yy_ec[256] =
+static const YY_CHAR yy_ec[256] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
         1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
@@ -521,14 +713,14 @@ static yyconst YY_CHAR yy_ec[256] =
         1,    1,    1,    1,    1
     } ;
 
-static yyconst YY_CHAR yy_meta[28] =
+static const YY_CHAR yy_meta[28] =
     {   0,
         1,    2,    3,    1,    2,    4,    2,    5,    1,    6,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1
     } ;
 
-static yyconst flex_uint16_t yy_base[91] =
+static const flex_int16_t yy_base[91] =
     {   0,
         0,   16,   41,   50,    4,    5,  101,    0,   24,  184,
       184,    0,  184,   92,   79,   32,   16,   83,    0,  184,
@@ -541,7 +733,7 @@ static yyconst flex_uint16_t yy_base[91] =
       125,  131,  137,  143,  149,  154,  159,  165,  171,  177
     } ;
 
-static yyconst flex_int16_t yy_def[91] =
+static const flex_int16_t yy_def[91] =
     {   0,
        80,   80,   81,   81,   82,   82,   79,   83,   79,   79,
        79,   84,   79,   83,   83,   79,   83,   83,   85,   79,
@@ -554,7 +746,7 @@ static yyconst flex_int16_t yy_def[91] =
        79,   79,   79,   79,   79,   79,   79,   79,   79,   79
     } ;
 
-static yyconst flex_uint16_t yy_nxt[212] =
+static const flex_int16_t yy_nxt[212] =
     {   0,
        79,    9,   10,   79,    9,   11,   12,   13,   14,   24,
        24,   79,   79,   25,   25,   52,   15,   16,   10,   53,
@@ -582,7 +774,7 @@ static yyconst flex_uint16_t yy_nxt[212] =
        79
     } ;
 
-static yyconst flex_int16_t yy_chk[212] =
+static const flex_int16_t yy_chk[212] =
     {   0,
         0,    1,    1,    0,    1,    1,    1,    1,    1,    5,
         6,    0,    0,    5,    6,   48,    1,    2,    2,   48,
@@ -611,16 +803,16 @@ static yyconst flex_int16_t yy_chk[212] =
     } ;
 
 /* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[27] =
+static const flex_int32_t yy_rule_can_match_eol[27] =
     {   0,
 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 
     0, 0, 0, 1, 0, 1, 0,     };
 
-static yyconst flex_int16_t yy_rule_linenum[26] =
+static const flex_int16_t yy_rule_linenum[26] =
     {   0,
-       60,   61,   62,   63,   65,   67,   68,   69,   70,   72,
-       77,   82,   90,  109,  112,  115,  118,  124,  126,  145,
-      146,  147,  148,  149,  150
+       65,   66,   67,   68,   70,   72,   73,   74,   75,   77,
+       82,   87,   95,  114,  117,  120,  123,  129,  131,  150,
+      151,  152,  153,  154,  155
     } ;
 
 /* The intent behind this definition is that it'll catch
@@ -656,9 +848,13 @@ bool conf_parser_open_next_file(parser_helper_t *ctx);
 
 static void include_files(parser_helper_t *ctx);
 
+#line 852 "parser/lexer.c"
 /* use start conditions stack */
 /* do not declare unneeded functions */
 #define YY_NO_INPUT 1
+/* do not include unistd.h as it might conflict with our scanner states */
+#define YY_NO_UNISTD_H 1
+/* due to that disable interactive mode, which requires isatty() */
 /* don't use global variables, and interact properly with bison */
 /* maintain the line number */
 /* don't generate a default rule */
@@ -669,7 +865,7 @@ static void include_files(parser_helper_t *ctx);
 
 /* state used to scan quoted strings */
 
-#line 673 "parser/lexer.c"
+#line 869 "parser/lexer.c"
 
 #define INITIAL 0
 #define inc 1
@@ -706,7 +902,7 @@ struct yyguts_t
     YY_BUFFER_STATE * yy_buffer_stack; /**< Stack as an array. */
     char yy_hold_char;
     int yy_n_chars;
-    yy_size_t yyleng_r;
+    int yyleng_r;
     char *yy_c_buf_p;
     int yy_init;
     int yy_start;
@@ -730,7 +926,7 @@ struct yyguts_t
 
 /* %if-c-only */
 
-static int yy_init_globals (yyscan_t yyscanner );
+static int yy_init_globals ( yyscan_t yyscanner );
 
 /* %endif */
 
@@ -740,9 +936,9 @@ static int yy_init_globals (yyscan_t yyscanner );
      * from bison output in section 1.*/
     #    define yylval yyg->yylval_r
     
-int conf_parser_lex_init (yyscan_t* scanner);
+int yylex_init (yyscan_t* scanner);
 
-int conf_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner);
+int yylex_init_extra ( YY_EXTRA_TYPE user_defined, yyscan_t* scanner);
 
 /* %endif */
 
@@ -751,41 +947,41 @@ int conf_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner);
 /* Accessor methods to globals.
    These are made visible to non-reentrant scanners for convenience. */
 
-int conf_parser_lex_destroy (yyscan_t yyscanner );
+int yylex_destroy ( yyscan_t yyscanner );
 
-int conf_parser_get_debug (yyscan_t yyscanner );
+int yyget_debug ( yyscan_t yyscanner );
 
-void conf_parser_set_debug (int debug_flag ,yyscan_t yyscanner );
+void yyset_debug ( int debug_flag , yyscan_t yyscanner );
 
-YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner );
+YY_EXTRA_TYPE yyget_extra ( yyscan_t yyscanner );
 
-void conf_parser_set_extra (YY_EXTRA_TYPE user_defined ,yyscan_t yyscanner );
+void yyset_extra ( YY_EXTRA_TYPE user_defined , yyscan_t yyscanner );
 
-FILE *conf_parser_get_in (yyscan_t yyscanner );
+FILE *yyget_in ( yyscan_t yyscanner );
 
-void conf_parser_set_in  (FILE * _in_str ,yyscan_t yyscanner );
+void yyset_in  ( FILE * _in_str , yyscan_t yyscanner );
 
-FILE *conf_parser_get_out (yyscan_t yyscanner );
+FILE *yyget_out ( yyscan_t yyscanner );
 
-void conf_parser_set_out  (FILE * _out_str ,yyscan_t yyscanner );
+void yyset_out  ( FILE * _out_str , yyscan_t yyscanner );
 
-yy_size_t conf_parser_get_leng (yyscan_t yyscanner );
+			int yyget_leng ( yyscan_t yyscanner );
 
-char *conf_parser_get_text (yyscan_t yyscanner );
+char *yyget_text ( yyscan_t yyscanner );
 
-int conf_parser_get_lineno (yyscan_t yyscanner );
+int yyget_lineno ( yyscan_t yyscanner );
 
-void conf_parser_set_lineno (int _line_number ,yyscan_t yyscanner );
+void yyset_lineno ( int _line_number , yyscan_t yyscanner );
 
-int conf_parser_get_column  (yyscan_t yyscanner );
+int yyget_column  ( yyscan_t yyscanner );
 
-void conf_parser_set_column (int _column_no ,yyscan_t yyscanner );
+void yyset_column ( int _column_no , yyscan_t yyscanner );
 
 /* %if-bison-bridge */
 
-YYSTYPE * conf_parser_get_lval (yyscan_t yyscanner );
+YYSTYPE * yyget_lval ( yyscan_t yyscanner );
 
-void conf_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
+void yyset_lval ( YYSTYPE * yylval_param , yyscan_t yyscanner );
 
 /* %endif */
 
@@ -795,17 +991,16 @@ void conf_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
 
 #ifndef YY_SKIP_YYWRAP
 #ifdef __cplusplus
-extern "C" int conf_parser_wrap (yyscan_t yyscanner );
+extern "C" int yywrap ( yyscan_t yyscanner );
 #else
-extern int conf_parser_wrap (yyscan_t yyscanner );
+extern int yywrap ( yyscan_t yyscanner );
 #endif
 #endif
 
 /* %not-for-header */
-
 #ifndef YY_NO_UNPUT
     
-    static void yyunput (int c,char *buf_ptr  ,yyscan_t yyscanner);
+    static void yyunput ( int c, char *buf_ptr  , yyscan_t yyscanner);
     
 #endif
 /* %ok-for-header */
@@ -813,21 +1008,20 @@ extern int conf_parser_wrap (yyscan_t yyscanner );
 /* %endif */
 
 #ifndef yytext_ptr
-static void yy_flex_strncpy (char *,yyconst char *,int ,yyscan_t yyscanner);
+static void yy_flex_strncpy ( char *, const char *, int , yyscan_t yyscanner);
 #endif
 
 #ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * ,yyscan_t yyscanner);
+static int yy_flex_strlen ( const char * , yyscan_t yyscanner);
 #endif
 
 #ifndef YY_NO_INPUT
 /* %if-c-only Standard (non-C++) definition */
 /* %not-for-header */
-
 #ifdef __cplusplus
-static int yyinput (yyscan_t yyscanner );
+static int yyinput ( yyscan_t yyscanner );
 #else
-static int input (yyscan_t yyscanner );
+static int input ( yyscan_t yyscanner );
 #endif
 /* %ok-for-header */
 
@@ -836,11 +1030,11 @@ static int input (yyscan_t yyscanner );
 
 /* %if-c-only */
 
-    static void yy_push_state (int _new_state ,yyscan_t yyscanner);
+    static void yy_push_state ( int _new_state , yyscan_t yyscanner);
     
-    static void yy_pop_state (yyscan_t yyscanner );
+    static void yy_pop_state ( yyscan_t yyscanner );
     
-    static int yy_top_state (yyscan_t yyscanner );
+    static int yy_top_state ( yyscan_t yyscanner );
     
 /* %endif */
 
@@ -860,7 +1054,7 @@ static int input (yyscan_t yyscanner );
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
+#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0)
 /* %endif */
 /* %if-c++-only C++ definition */
 /* %endif */
@@ -875,7 +1069,7 @@ static int input (yyscan_t yyscanner );
 	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
 		{ \
 		int c = '*'; \
-		size_t n; \
+		int n; \
 		for ( n = 0; n < max_size && \
 			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
 			buf[n] = (char) c; \
@@ -888,7 +1082,7 @@ static int input (yyscan_t yyscanner );
 	else \
 		{ \
 		errno=0; \
-		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+		while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \
 			{ \
 			if( errno != EINTR) \
 				{ \
@@ -929,11 +1123,9 @@ static int input (yyscan_t yyscanner );
 
 /* %if-tables-serialization structures and prototypes */
 /* %not-for-header */
-
 /* %ok-for-header */
 
 /* %not-for-header */
-
 /* %tables-yydmap generated elements */
 /* %endif */
 /* end tables serialization structures and prototypes */
@@ -947,10 +1139,10 @@ static int input (yyscan_t yyscanner );
 #define YY_DECL_IS_OURS 1
 /* %if-c-only Standard (non-C++) definition */
 
-extern int conf_parser_lex \
-               (YYSTYPE * yylval_param ,yyscan_t yyscanner);
+extern int yylex \
+               (YYSTYPE * yylval_param , yyscan_t yyscanner);
 
-#define YY_DECL int conf_parser_lex \
+#define YY_DECL int yylex \
                (YYSTYPE * yylval_param , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only C++ definition */
@@ -977,7 +1169,6 @@ extern int conf_parser_lex \
 	YY_USER_ACTION
 
 /* %not-for-header */
-
 /** The main scanner function which does all the work.
  */
 YY_DECL
@@ -1015,20 +1206,20 @@ YY_DECL
 /* %endif */
 
 		if ( ! YY_CURRENT_BUFFER ) {
-			conf_parser_ensure_buffer_stack (yyscanner);
+			yyensure_buffer_stack (yyscanner);
 			YY_CURRENT_BUFFER_LVALUE =
-				conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+				yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
 		}
 
-		conf_parser__load_buffer_state(yyscanner );
+		yy_load_buffer_state( yyscanner );
 		}
 
 	{
 /* %% [7.0] user's declarations go here */
-#line 58 "parser/lexer.l"
+#line 63 "parser/lexer.l"
 
 
-#line 1032 "parser/lexer.c"
+#line 1223 "parser/lexer.c"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -1059,22 +1250,18 @@ yy_match:
 				{
 				yy_current_state = (int) yy_def[yy_current_state];
 				if ( yy_current_state >= 80 )
-					yy_c = yy_meta[(unsigned int) yy_c];
+					yy_c = yy_meta[yy_c];
 				}
-			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 			++yy_cp;
 			}
-		while ( yy_base[yy_current_state] != 184 );
+		while ( yy_current_state != 79 );
+		yy_cp = yyg->yy_last_accepting_cpos;
+		yy_current_state = yyg->yy_last_accepting_state;
 
 yy_find_action:
 /* %% [10.0] code to find the action number goes here */
 		yy_act = yy_accept[yy_current_state];
-		if ( yy_act == 0 )
-			{ /* have to back up */
-			yy_cp = yyg->yy_last_accepting_cpos;
-			yy_current_state = yyg->yy_last_accepting_state;
-			yy_act = yy_accept[yy_current_state];
-			}
 
 		YY_DO_BEFORE_ACTION;
 
@@ -1082,10 +1269,10 @@ yy_find_action:
 
 		if ( yy_act != YY_END_OF_BUFFER && yy_rule_can_match_eol[yy_act] )
 			{
-			yy_size_t yyl;
+			int yyl;
 			for ( yyl = 0; yyl < yyleng; ++yyl )
 				if ( yytext[yyl] == '\n' )
-					   
+					
     do{ yylineno++;
         yycolumn=0;
     }while(0)
@@ -1126,48 +1313,48 @@ case 1:
 yyg->yy_c_buf_p = yy_cp -= 1;
 YY_DO_BEFORE_ACTION; /* set up yytext again */
 YY_RULE_SETUP
-#line 60 "parser/lexer.l"
+#line 65 "parser/lexer.l"
 /* eat legacy version delcaration */
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 61 "parser/lexer.l"
+#line 66 "parser/lexer.l"
 return SPACES;
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 62 "parser/lexer.l"
+#line 67 "parser/lexer.l"
 /* eat other whitespace */
 	YY_BREAK
 case 4:
 YY_RULE_SETUP
-#line 63 "parser/lexer.l"
+#line 68 "parser/lexer.l"
 /* eat comments */
 	YY_BREAK
 case 5:
 /* rule 5 can match eol */
 YY_RULE_SETUP
-#line 65 "parser/lexer.l"
+#line 70 "parser/lexer.l"
 return NEWLINE;
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 67 "parser/lexer.l"
+#line 72 "parser/lexer.l"
 return EQ;
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 68 "parser/lexer.l"
+#line 73 "parser/lexer.l"
 return CONFIG_SETUP;
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 69 "parser/lexer.l"
+#line 74 "parser/lexer.l"
 return CONN;
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 70 "parser/lexer.l"
+#line 75 "parser/lexer.l"
 return CA;
 	YY_BREAK
 case 10:
@@ -1177,7 +1364,7 @@ YY_LINENO_REWIND_TO(yy_cp - 1);
 yyg->yy_c_buf_p = yy_cp -= 1;
 YY_DO_BEFORE_ACTION; /* set up yytext again */
 YY_RULE_SETUP
-#line 72 "parser/lexer.l"
+#line 77 "parser/lexer.l"
 {
 	yyextra->string_init(yyextra);
 	yy_push_state(inc, yyscanner);
@@ -1185,7 +1372,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 77 "parser/lexer.l"
+#line 82 "parser/lexer.l"
 {
 	yyextra->string_init(yyextra);
 	yy_push_state(str, yyscanner);
@@ -1193,7 +1380,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 82 "parser/lexer.l"
+#line 87 "parser/lexer.l"
 {
 	yylval->s = strdup(yytext);
 	return STRING;
@@ -1202,11 +1389,11 @@ YY_RULE_SETUP
 
 /* we allow all characters except # and spaces, they can be escaped */
 case YY_STATE_EOF(inc):
-#line 89 "parser/lexer.l"
+#line 94 "parser/lexer.l"
 case 13:
 /* rule 13 can match eol */
 YY_RULE_SETUP
-#line 90 "parser/lexer.l"
+#line 95 "parser/lexer.l"
 {
 		if (*yytext)
 		{
@@ -1229,28 +1416,28 @@ YY_RULE_SETUP
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 109 "parser/lexer.l"
+#line 114 "parser/lexer.l"
 {	/* string include */
 		yy_push_state(str, yyscanner);
 	}
 	YY_BREAK
 case 15:
 YY_RULE_SETUP
-#line 112 "parser/lexer.l"
+#line 117 "parser/lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
 	YY_BREAK
 case 16:
 YY_RULE_SETUP
-#line 115 "parser/lexer.l"
+#line 120 "parser/lexer.l"
 {
 		yyextra->string_add(yyextra, yytext+1);
 	}
 	YY_BREAK
 case 17:
 YY_RULE_SETUP
-#line 118 "parser/lexer.l"
+#line 123 "parser/lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
@@ -1258,13 +1445,13 @@ YY_RULE_SETUP
 
 
 case 18:
-#line 125 "parser/lexer.l"
+#line 130 "parser/lexer.l"
 YY_RULE_SETUP
 case YY_STATE_EOF(str):
-#line 125 "parser/lexer.l"
+#line 130 "parser/lexer.l"
 case 19:
 YY_RULE_SETUP
-#line 126 "parser/lexer.l"
+#line 131 "parser/lexer.l"
 {
 		if (!streq(yytext, "\""))
 		{
@@ -1287,41 +1474,41 @@ YY_RULE_SETUP
 	YY_BREAK
 case 20:
 YY_RULE_SETUP
-#line 145 "parser/lexer.l"
+#line 150 "parser/lexer.l"
 yyextra->string_add(yyextra, "\n");
 	YY_BREAK
 case 21:
 YY_RULE_SETUP
-#line 146 "parser/lexer.l"
+#line 151 "parser/lexer.l"
 yyextra->string_add(yyextra, "\r");
 	YY_BREAK
 case 22:
 YY_RULE_SETUP
-#line 147 "parser/lexer.l"
+#line 152 "parser/lexer.l"
 yyextra->string_add(yyextra, "\t");
 	YY_BREAK
 case 23:
 /* rule 23 can match eol */
 YY_RULE_SETUP
-#line 148 "parser/lexer.l"
+#line 153 "parser/lexer.l"
 /* merge lines that end with EOL characters */
 	YY_BREAK
 case 24:
 YY_RULE_SETUP
-#line 149 "parser/lexer.l"
+#line 154 "parser/lexer.l"
 yyextra->string_add(yyextra, yytext+1);
 	YY_BREAK
 case 25:
 /* rule 25 can match eol */
 YY_RULE_SETUP
-#line 150 "parser/lexer.l"
+#line 155 "parser/lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
 	YY_BREAK
 
 case YY_STATE_EOF(INITIAL):
-#line 155 "parser/lexer.l"
+#line 160 "parser/lexer.l"
 {
 	conf_parser_pop_buffer_state(yyscanner);
 	if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1332,10 +1519,10 @@ case YY_STATE_EOF(INITIAL):
 	YY_BREAK
 case 26:
 YY_RULE_SETUP
-#line 163 "parser/lexer.l"
+#line 168 "parser/lexer.l"
 YY_FATAL_ERROR( "flex scanner jammed" );
 	YY_BREAK
-#line 1339 "parser/lexer.c"
+#line 1526 "parser/lexer.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1351,7 +1538,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 			/* We're scanning a new file or input source.  It's
 			 * possible that this happened because the user
 			 * just pointed yyin at a new source and called
-			 * conf_parser_lex().  If so, then we have to assure
+			 * yylex().  If so, then we have to assure
 			 * consistency between YY_CURRENT_BUFFER and our
 			 * globals.  Here is the right place to do so, because
 			 * this is the first action (other than possibly a
@@ -1405,7 +1592,8 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 			else
 				{
 /* %% [14.0] code to do back-up for compressed tables and set up yy_cp goes here */
-				yy_cp = yyg->yy_c_buf_p;
+				yy_cp = yyg->yy_last_accepting_cpos;
+				yy_current_state = yyg->yy_last_accepting_state;
 				goto yy_find_action;
 				}
 			}
@@ -1416,7 +1604,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 				{
 				yyg->yy_did_buffer_switch_on_eof = 0;
 
-				if ( conf_parser_wrap(yyscanner ) )
+				if ( yywrap( yyscanner ) )
 					{
 					/* Note: because we've taken care in
 					 * yy_get_next_buffer() to have set up
@@ -1470,12 +1658,11 @@ YY_FATAL_ERROR( "flex scanner jammed" );
 	} /* end of action switch */
 		} /* end of scanning one token */
 	} /* end of user's declarations */
-} /* end of conf_parser_lex */
+} /* end of yylex */
 /* %ok-for-header */
 
 /* %if-c++-only */
 /* %not-for-header */
-
 /* %ok-for-header */
 
 /* %endif */
@@ -1496,7 +1683,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
 	char *source = yyg->yytext_ptr;
-	yy_size_t number_to_move, i;
+	int number_to_move, i;
 	int ret_val;
 
 	if ( yyg->yy_c_buf_p > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[yyg->yy_n_chars + 1] )
@@ -1525,7 +1712,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	/* Try to read more data. */
 
 	/* First move last chars to start of buffer. */
-	number_to_move = (yy_size_t) (yyg->yy_c_buf_p - yyg->yytext_ptr) - 1;
+	number_to_move = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr - 1);
 
 	for ( i = 0; i < number_to_move; ++i )
 		*(dest++) = *(source++);
@@ -1538,7 +1725,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 	else
 		{
-			yy_size_t num_to_read =
+			int num_to_read =
 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
 
 		while ( num_to_read <= 0 )
@@ -1552,7 +1739,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 			if ( b->yy_is_our_buffer )
 				{
-				yy_size_t new_size = b->yy_buf_size * 2;
+				int new_size = b->yy_buf_size * 2;
 
 				if ( new_size <= 0 )
 					b->yy_buf_size += b->yy_buf_size / 8;
@@ -1561,11 +1748,12 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 				b->yy_ch_buf = (char *)
 					/* Include room in for 2 EOB chars. */
-					conf_parser_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ,yyscanner );
+					yyrealloc( (void *) b->yy_ch_buf,
+							 (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
 				}
 			else
 				/* Can't grow it, we don't own it. */
-				b->yy_ch_buf = 0;
+				b->yy_ch_buf = NULL;
 
 			if ( ! b->yy_ch_buf )
 				YY_FATAL_ERROR(
@@ -1593,7 +1781,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		if ( number_to_move == YY_MORE_ADJ )
 			{
 			ret_val = EOB_ACT_END_OF_FILE;
-			conf_parser_restart(yyin  ,yyscanner);
+			yyrestart( yyin  , yyscanner);
 			}
 
 		else
@@ -1607,12 +1795,15 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	else
 		ret_val = EOB_ACT_CONTINUE_SCAN;
 
-	if ((int) (yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
+	if ((yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
 		/* Extend the array by 50%, plus the number we really need. */
 		int new_size = yyg->yy_n_chars + number_to_move + (yyg->yy_n_chars >> 1);
-		YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) conf_parser_realloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ,yyscanner );
+		YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc(
+			(void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size , yyscanner );
 		if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
 			YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
+		/* "- 2" to take care of EOB's */
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2);
 	}
 
 	yyg->yy_n_chars += number_to_move;
@@ -1628,7 +1819,6 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 /* %if-c-only */
 /* %not-for-header */
-
     static yy_state_type yy_get_previous_state (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
@@ -1655,9 +1845,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 			{
 			yy_current_state = (int) yy_def[yy_current_state];
 			if ( yy_current_state >= 80 )
-				yy_c = yy_meta[(unsigned int) yy_c];
+				yy_c = yy_meta[yy_c];
 			}
-		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 		}
 
 	return yy_current_state;
@@ -1689,9 +1879,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		{
 		yy_current_state = (int) yy_def[yy_current_state];
 		if ( yy_current_state >= 80 )
-			yy_c = yy_meta[(unsigned int) yy_c];
+			yy_c = yy_meta[yy_c];
 		}
-	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
 	yy_is_jam = (yy_current_state == 79);
 
 	(void)yyg;
@@ -1717,7 +1907,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
 		{ /* need to shift things up to make room */
 		/* +2 for EOB chars. */
-		yy_size_t number_to_move = yyg->yy_n_chars + 2;
+		int number_to_move = yyg->yy_n_chars + 2;
 		char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
 					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
 		char *source =
@@ -1729,7 +1919,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		yy_cp += (int) (dest - source);
 		yy_bp += (int) (dest - source);
 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
-			yyg->yy_n_chars = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+			yyg->yy_n_chars = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
 
 		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
 			YY_FATAL_ERROR( "flex scanner push-back overflow" );
@@ -1781,7 +1971,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 		else
 			{ /* need more input */
-			yy_size_t offset = yyg->yy_c_buf_p - yyg->yytext_ptr;
+			int offset = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr);
 			++yyg->yy_c_buf_p;
 
 			switch ( yy_get_next_buffer( yyscanner ) )
@@ -1798,14 +1988,14 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 					 */
 
 					/* Reset buffer status. */
-					conf_parser_restart(yyin ,yyscanner);
+					yyrestart( yyin , yyscanner);
 
 					/*FALLTHROUGH*/
 
 				case EOB_ACT_END_OF_FILE:
 					{
-					if ( conf_parser_wrap(yyscanner ) )
-						return EOF;
+					if ( yywrap( yyscanner ) )
+						return 0;
 
 					if ( ! yyg->yy_did_buffer_switch_on_eof )
 						YY_NEW_FILE;
@@ -1830,7 +2020,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 /* %% [19.0] update BOL and yylineno */
 	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = (c == '\n');
 	if ( YY_CURRENT_BUFFER_LVALUE->yy_at_bol )
-		   
+		
     do{ yylineno++;
         yycolumn=0;
     }while(0)
@@ -1848,7 +2038,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
  * @note This function does not reset the start condition to @c INITIAL .
  */
 /* %if-c-only */
-    void conf_parser_restart  (FILE * input_file , yyscan_t yyscanner)
+    void yyrestart  (FILE * input_file , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -1856,13 +2046,13 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
 	if ( ! YY_CURRENT_BUFFER ){
-        conf_parser_ensure_buffer_stack (yyscanner);
+        yyensure_buffer_stack (yyscanner);
 		YY_CURRENT_BUFFER_LVALUE =
-            conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+            yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
 	}
 
-	conf_parser__init_buffer(YY_CURRENT_BUFFER,input_file ,yyscanner);
-	conf_parser__load_buffer_state(yyscanner );
+	yy_init_buffer( YY_CURRENT_BUFFER, input_file , yyscanner);
+	yy_load_buffer_state( yyscanner );
 }
 
 /* %if-c++-only */
@@ -1873,7 +2063,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
  * @param yyscanner The scanner object.
  */
 /* %if-c-only */
-    void conf_parser__switch_to_buffer  (YY_BUFFER_STATE  new_buffer , yyscan_t yyscanner)
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -1882,10 +2072,10 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 
 	/* TODO. We should be able to replace this entire function body
 	 * with
-	 *		conf_parser_pop_buffer_state();
-	 *		conf_parser_push_buffer_state(new_buffer);
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
      */
-	conf_parser_ensure_buffer_stack (yyscanner);
+	yyensure_buffer_stack (yyscanner);
 	if ( YY_CURRENT_BUFFER == new_buffer )
 		return;
 
@@ -1898,18 +2088,18 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		}
 
 	YY_CURRENT_BUFFER_LVALUE = new_buffer;
-	conf_parser__load_buffer_state(yyscanner );
+	yy_load_buffer_state( yyscanner );
 
 	/* We don't actually know whether we did this switch during
-	 * EOF (conf_parser_wrap()) processing, but the only time this flag
-	 * is looked at is after conf_parser_wrap() is called, so it's safe
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
 	 * to go ahead and always set it.
 	 */
 	yyg->yy_did_buffer_switch_on_eof = 1;
 }
 
 /* %if-c-only */
-static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
+static void yy_load_buffer_state  (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -1932,29 +2122,29 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
  * @return the allocated buffer state.
  */
 /* %if-c-only */
-    YY_BUFFER_STATE conf_parser__create_buffer  (FILE * file, int  size , yyscan_t yyscanner)
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
 {
 	YY_BUFFER_STATE b;
     
-	b = (YY_BUFFER_STATE) conf_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+	b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
 	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in conf_parser__create_buffer()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
 
-	b->yy_buf_size = (yy_size_t)size;
+	b->yy_buf_size = size;
 
 	/* yy_ch_buf has to be 2 characters longer than the size given because
 	 * we need to put in 2 end-of-buffer characters.
 	 */
-	b->yy_ch_buf = (char *) conf_parser_alloc(b->yy_buf_size + 2 ,yyscanner );
+	b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
 	if ( ! b->yy_ch_buf )
-		YY_FATAL_ERROR( "out of dynamic memory in conf_parser__create_buffer()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
 
 	b->yy_is_our_buffer = 1;
 
-	conf_parser__init_buffer(b,file ,yyscanner);
+	yy_init_buffer( b, file , yyscanner);
 
 	return b;
 }
@@ -1963,11 +2153,11 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
 /* %endif */
 
 /** Destroy the buffer.
- * @param b a buffer created with conf_parser__create_buffer()
+ * @param b a buffer created with yy_create_buffer()
  * @param yyscanner The scanner object.
  */
 /* %if-c-only */
-    void conf_parser__delete_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
+    void yy_delete_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -1981,17 +2171,17 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
 		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
 
 	if ( b->yy_is_our_buffer )
-		conf_parser_free((void *) b->yy_ch_buf ,yyscanner );
+		yyfree( (void *) b->yy_ch_buf , yyscanner );
 
-	conf_parser_free((void *) b ,yyscanner );
+	yyfree( (void *) b , yyscanner );
 }
 
 /* Initializes or reinitializes a buffer.
  * This function is sometimes called more than once on the same buffer,
- * such as during a conf_parser_restart() or at EOF.
+ * such as during a yyrestart() or at EOF.
  */
 /* %if-c-only */
-    static void conf_parser__init_buffer  (YY_BUFFER_STATE  b, FILE * file , yyscan_t yyscanner)
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2000,7 +2190,7 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
 	int oerrno = errno;
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
-	conf_parser__flush_buffer(b ,yyscanner);
+	yy_flush_buffer( b , yyscanner);
 
 /* %if-c-only */
 	b->yy_input_file = file;
@@ -2009,8 +2199,8 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
 /* %endif */
 	b->yy_fill_buffer = 1;
 
-    /* If b is the current buffer, then conf_parser__init_buffer was _probably_
-     * called from conf_parser_restart() or through yy_get_next_buffer.
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
      * In that case, we don't want to reset the lineno or column.
      */
     if (b != YY_CURRENT_BUFFER){
@@ -2020,7 +2210,7 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
 
 /* %if-c-only */
 
-        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+        b->yy_is_interactive = 0;
     
 /* %endif */
 /* %if-c++-only */
@@ -2033,7 +2223,7 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
  * @param yyscanner The scanner object.
  */
 /* %if-c-only */
-    void conf_parser__flush_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
+    void yy_flush_buffer (YY_BUFFER_STATE  b , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2057,7 +2247,7 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
 	b->yy_buffer_status = YY_BUFFER_NEW;
 
 	if ( b == YY_CURRENT_BUFFER )
-		conf_parser__load_buffer_state(yyscanner );
+		yy_load_buffer_state( yyscanner );
 }
 
 /* %if-c-or-c++ */
@@ -2068,7 +2258,7 @@ static void conf_parser__load_buffer_state  (yyscan_t yyscanner)
  *  @param yyscanner The scanner object.
  */
 /* %if-c-only */
-void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2077,9 +2267,9 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan
 	if (new_buffer == NULL)
 		return;
 
-	conf_parser_ensure_buffer_stack(yyscanner);
+	yyensure_buffer_stack(yyscanner);
 
-	/* This block is copied from conf_parser__switch_to_buffer. */
+	/* This block is copied from yy_switch_to_buffer. */
 	if ( YY_CURRENT_BUFFER )
 		{
 		/* Flush out information for old buffer. */
@@ -2093,8 +2283,8 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan
 		yyg->yy_buffer_stack_top++;
 	YY_CURRENT_BUFFER_LVALUE = new_buffer;
 
-	/* copied from conf_parser__switch_to_buffer. */
-	conf_parser__load_buffer_state(yyscanner );
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( yyscanner );
 	yyg->yy_did_buffer_switch_on_eof = 1;
 }
 /* %endif */
@@ -2105,7 +2295,7 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan
  *  @param yyscanner The scanner object.
  */
 /* %if-c-only */
-void conf_parser_pop_buffer_state (yyscan_t yyscanner)
+void yypop_buffer_state (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2114,13 +2304,13 @@ void conf_parser_pop_buffer_state (yyscan_t yyscanner)
 	if (!YY_CURRENT_BUFFER)
 		return;
 
-	conf_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner);
+	yy_delete_buffer(YY_CURRENT_BUFFER , yyscanner);
 	YY_CURRENT_BUFFER_LVALUE = NULL;
 	if (yyg->yy_buffer_stack_top > 0)
 		--yyg->yy_buffer_stack_top;
 
 	if (YY_CURRENT_BUFFER) {
-		conf_parser__load_buffer_state(yyscanner );
+		yy_load_buffer_state( yyscanner );
 		yyg->yy_did_buffer_switch_on_eof = 1;
 	}
 }
@@ -2131,7 +2321,7 @@ void conf_parser_pop_buffer_state (yyscan_t yyscanner)
  *  Guarantees space for at least one push.
  */
 /* %if-c-only */
-static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
+static void yyensure_buffer_stack (yyscan_t yyscanner)
 /* %endif */
 /* %if-c++-only */
 /* %endif */
@@ -2145,15 +2335,15 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
 		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
 		 * immediate realloc on the next call.
          */
-		num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
-		yyg->yy_buffer_stack = (struct yy_buffer_state**)conf_parser_alloc
+      num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
+		yyg->yy_buffer_stack = (struct yy_buffer_state**)yyalloc
 								(num_to_alloc * sizeof(struct yy_buffer_state*)
 								, yyscanner);
 		if ( ! yyg->yy_buffer_stack )
-			YY_FATAL_ERROR( "out of dynamic memory in conf_parser_ensure_buffer_stack()" );
-								  
+			YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
+
 		memset(yyg->yy_buffer_stack, 0, num_to_alloc * sizeof(struct yy_buffer_state*));
-				
+
 		yyg->yy_buffer_stack_max = num_to_alloc;
 		yyg->yy_buffer_stack_top = 0;
 		return;
@@ -2165,12 +2355,12 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
 		yy_size_t grow_size = 8 /* arbitrary grow size */;
 
 		num_to_alloc = yyg->yy_buffer_stack_max + grow_size;
-		yyg->yy_buffer_stack = (struct yy_buffer_state**)conf_parser_realloc
+		yyg->yy_buffer_stack = (struct yy_buffer_state**)yyrealloc
 								(yyg->yy_buffer_stack,
 								num_to_alloc * sizeof(struct yy_buffer_state*)
 								, yyscanner);
 		if ( ! yyg->yy_buffer_stack )
-			YY_FATAL_ERROR( "out of dynamic memory in conf_parser_ensure_buffer_stack()" );
+			YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
 
 		/* zero only the new slots.*/
 		memset(yyg->yy_buffer_stack + yyg->yy_buffer_stack_max, 0, grow_size * sizeof(struct yy_buffer_state*));
@@ -2184,9 +2374,9 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
  * @param base the character buffer
  * @param size the size in bytes of the character buffer
  * @param yyscanner The scanner object.
- * @return the newly allocated buffer state object. 
+ * @return the newly allocated buffer state object.
  */
-YY_BUFFER_STATE conf_parser__scan_buffer  (char * base, yy_size_t  size , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size , yyscan_t yyscanner)
 {
 	YY_BUFFER_STATE b;
     
@@ -2194,73 +2384,73 @@ YY_BUFFER_STATE conf_parser__scan_buffer  (char * base, yy_size_t  size , yyscan
 	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
 	     base[size-1] != YY_END_OF_BUFFER_CHAR )
 		/* They forgot to leave room for the EOB's. */
-		return 0;
+		return NULL;
 
-	b = (YY_BUFFER_STATE) conf_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+	b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
 	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in conf_parser__scan_buffer()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
 
-	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_size = (int) (size - 2);	/* "- 2" to take care of EOB's */
 	b->yy_buf_pos = b->yy_ch_buf = base;
 	b->yy_is_our_buffer = 0;
-	b->yy_input_file = 0;
+	b->yy_input_file = NULL;
 	b->yy_n_chars = b->yy_buf_size;
 	b->yy_is_interactive = 0;
 	b->yy_at_bol = 1;
 	b->yy_fill_buffer = 0;
 	b->yy_buffer_status = YY_BUFFER_NEW;
 
-	conf_parser__switch_to_buffer(b ,yyscanner );
+	yy_switch_to_buffer( b , yyscanner );
 
 	return b;
 }
 /* %endif */
 
 /* %if-c-only */
-/** Setup the input buffer state to scan a string. The next call to conf_parser_lex() will
+/** Setup the input buffer state to scan a string. The next call to yylex() will
  * scan from a @e copy of @a str.
  * @param yystr a NUL-terminated string to scan
  * @param yyscanner The scanner object.
  * @return the newly allocated buffer state object.
  * @note If you want to scan bytes that may contain NUL values, then use
- *       conf_parser__scan_bytes() instead.
+ *       yy_scan_bytes() instead.
  */
-YY_BUFFER_STATE conf_parser__scan_string (yyconst char * yystr , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_string (const char * yystr , yyscan_t yyscanner)
 {
     
-	return conf_parser__scan_bytes(yystr,strlen(yystr) ,yyscanner);
+	return yy_scan_bytes( yystr, (int) strlen(yystr) , yyscanner);
 }
 /* %endif */
 
 /* %if-c-only */
-/** Setup the input buffer state to scan the given bytes. The next call to conf_parser_lex() will
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
  * scan from a @e copy of @a bytes.
  * @param yybytes the byte buffer to scan
  * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
  * @param yyscanner The scanner object.
  * @return the newly allocated buffer state object.
  */
-YY_BUFFER_STATE conf_parser__scan_bytes  (yyconst char * yybytes, yy_size_t  _yybytes_len , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_bytes  (const char * yybytes, int  _yybytes_len , yyscan_t yyscanner)
 {
 	YY_BUFFER_STATE b;
 	char *buf;
 	yy_size_t n;
-	yy_size_t i;
+	int i;
     
 	/* Get memory for full buffer, including space for trailing EOB's. */
-	n = _yybytes_len + 2;
-	buf = (char *) conf_parser_alloc(n ,yyscanner );
+	n = (yy_size_t) (_yybytes_len + 2);
+	buf = (char *) yyalloc( n , yyscanner );
 	if ( ! buf )
-		YY_FATAL_ERROR( "out of dynamic memory in conf_parser__scan_bytes()" );
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
 
 	for ( i = 0; i < _yybytes_len; ++i )
 		buf[i] = yybytes[i];
 
 	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
 
-	b = conf_parser__scan_buffer(buf,n ,yyscanner);
+	b = yy_scan_buffer( buf, n , yyscanner);
 	if ( ! b )
-		YY_FATAL_ERROR( "bad buffer in conf_parser__scan_bytes()" );
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
 
 	/* It's okay to grow etc. this buffer, and we should throw it
 	 * away when we're done.
@@ -2283,13 +2473,14 @@ YY_BUFFER_STATE conf_parser__scan_bytes  (yyconst char * yybytes, yy_size_t  _yy
 		yy_size_t new_size;
 
 		yyg->yy_start_stack_depth += YY_START_STACK_INCR;
-		new_size = yyg->yy_start_stack_depth * sizeof( int );
+		new_size = (yy_size_t) yyg->yy_start_stack_depth * sizeof( int );
 
 		if ( ! yyg->yy_start_stack )
-			yyg->yy_start_stack = (int *) conf_parser_alloc(new_size ,yyscanner );
+			yyg->yy_start_stack = (int *) yyalloc( new_size , yyscanner );
 
 		else
-			yyg->yy_start_stack = (int *) conf_parser_realloc((void *) yyg->yy_start_stack,new_size ,yyscanner );
+			yyg->yy_start_stack = (int *) yyrealloc(
+					(void *) yyg->yy_start_stack, new_size , yyscanner );
 
 		if ( ! yyg->yy_start_stack )
 			YY_FATAL_ERROR( "out of memory expanding start-condition stack" );
@@ -2328,11 +2519,11 @@ YY_BUFFER_STATE conf_parser__scan_bytes  (yyconst char * yybytes, yy_size_t  _yy
 #endif
 
 /* %if-c-only */
-static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
+static void yynoreturn yy_fatal_error (const char* msg , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
-	(void) fprintf( stderr, "%s\n", msg );
+	fprintf( stderr, "%s\n", msg );
 	exit( YY_EXIT_FAILURE );
 }
 /* %endif */
@@ -2364,7 +2555,7 @@ static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
 /** Get the user-defined data for this scanner.
  * @param yyscanner The scanner object.
  */
-YY_EXTRA_TYPE conf_parser_get_extra  (yyscan_t yyscanner)
+YY_EXTRA_TYPE yyget_extra  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyextra;
@@ -2375,10 +2566,10 @@ YY_EXTRA_TYPE conf_parser_get_extra  (yyscan_t yyscanner)
 /** Get the current line number.
  * @param yyscanner The scanner object.
  */
-int conf_parser_get_lineno  (yyscan_t yyscanner)
+int yyget_lineno  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-    
+
         if (! YY_CURRENT_BUFFER)
             return 0;
     
@@ -2388,10 +2579,10 @@ int conf_parser_get_lineno  (yyscan_t yyscanner)
 /** Get the current column number.
  * @param yyscanner The scanner object.
  */
-int conf_parser_get_column  (yyscan_t yyscanner)
+int yyget_column  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-    
+
         if (! YY_CURRENT_BUFFER)
             return 0;
     
@@ -2401,7 +2592,7 @@ int conf_parser_get_column  (yyscan_t yyscanner)
 /** Get the input stream.
  * @param yyscanner The scanner object.
  */
-FILE *conf_parser_get_in  (yyscan_t yyscanner)
+FILE *yyget_in  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyin;
@@ -2410,7 +2601,7 @@ FILE *conf_parser_get_in  (yyscan_t yyscanner)
 /** Get the output stream.
  * @param yyscanner The scanner object.
  */
-FILE *conf_parser_get_out  (yyscan_t yyscanner)
+FILE *yyget_out  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyout;
@@ -2419,7 +2610,7 @@ FILE *conf_parser_get_out  (yyscan_t yyscanner)
 /** Get the length of the current token.
  * @param yyscanner The scanner object.
  */
-yy_size_t conf_parser_get_leng  (yyscan_t yyscanner)
+int yyget_leng  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yyleng;
@@ -2429,7 +2620,7 @@ yy_size_t conf_parser_get_leng  (yyscan_t yyscanner)
  * @param yyscanner The scanner object.
  */
 
-char *conf_parser_get_text  (yyscan_t yyscanner)
+char *yyget_text  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yytext;
@@ -2441,7 +2632,7 @@ char *conf_parser_get_text  (yyscan_t yyscanner)
  * @param user_defined The data to be associated with this scanner.
  * @param yyscanner The scanner object.
  */
-void conf_parser_set_extra (YY_EXTRA_TYPE  user_defined , yyscan_t yyscanner)
+void yyset_extra (YY_EXTRA_TYPE  user_defined , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yyextra = user_defined ;
@@ -2453,13 +2644,13 @@ void conf_parser_set_extra (YY_EXTRA_TYPE  user_defined , yyscan_t yyscanner)
  * @param _line_number line number
  * @param yyscanner The scanner object.
  */
-void conf_parser_set_lineno (int  _line_number , yyscan_t yyscanner)
+void yyset_lineno (int  _line_number , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
         /* lineno is only valid if an input buffer exists. */
         if (! YY_CURRENT_BUFFER )
-           YY_FATAL_ERROR( "conf_parser_set_lineno called with no buffer" );
+           YY_FATAL_ERROR( "yyset_lineno called with no buffer" );
     
     yylineno = _line_number;
 }
@@ -2468,13 +2659,13 @@ void conf_parser_set_lineno (int  _line_number , yyscan_t yyscanner)
  * @param _column_no column number
  * @param yyscanner The scanner object.
  */
-void conf_parser_set_column (int  _column_no , yyscan_t yyscanner)
+void yyset_column (int  _column_no , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
         /* column is only valid if an input buffer exists. */
         if (! YY_CURRENT_BUFFER )
-           YY_FATAL_ERROR( "conf_parser_set_column called with no buffer" );
+           YY_FATAL_ERROR( "yyset_column called with no buffer" );
     
     yycolumn = _column_no;
 }
@@ -2483,27 +2674,27 @@ void conf_parser_set_column (int  _column_no , yyscan_t yyscanner)
  * input buffer.
  * @param _in_str A readable stream.
  * @param yyscanner The scanner object.
- * @see conf_parser__switch_to_buffer
+ * @see yy_switch_to_buffer
  */
-void conf_parser_set_in (FILE *  _in_str , yyscan_t yyscanner)
+void yyset_in (FILE *  _in_str , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yyin = _in_str ;
 }
 
-void conf_parser_set_out (FILE *  _out_str , yyscan_t yyscanner)
+void yyset_out (FILE *  _out_str , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yyout = _out_str ;
 }
 
-int conf_parser_get_debug  (yyscan_t yyscanner)
+int yyget_debug  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yy_flex_debug;
 }
 
-void conf_parser_set_debug (int  _bdebug , yyscan_t yyscanner)
+void yyset_debug (int  _bdebug , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yy_flex_debug = _bdebug ;
@@ -2516,13 +2707,13 @@ void conf_parser_set_debug (int  _bdebug , yyscan_t yyscanner)
 
 /* %if-bison-bridge */
 
-YYSTYPE * conf_parser_get_lval  (yyscan_t yyscanner)
+YYSTYPE * yyget_lval  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     return yylval;
 }
 
-void conf_parser_set_lval (YYSTYPE *  yylval_param , yyscan_t yyscanner)
+void yyset_lval (YYSTYPE *  yylval_param , yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     yylval = yylval_param;
@@ -2532,20 +2723,18 @@ void conf_parser_set_lval (YYSTYPE *  yylval_param , yyscan_t yyscanner)
 
 /* User-visible API */
 
-/* conf_parser_lex_init is special because it creates the scanner itself, so it is
+/* yylex_init is special because it creates the scanner itself, so it is
  * the ONLY reentrant function that doesn't take the scanner as the last argument.
  * That's why we explicitly handle the declaration, instead of using our macros.
  */
-
-int conf_parser_lex_init(yyscan_t* ptr_yy_globals)
-
+int yylex_init(yyscan_t* ptr_yy_globals)
 {
     if (ptr_yy_globals == NULL){
         errno = EINVAL;
         return 1;
     }
 
-    *ptr_yy_globals = (yyscan_t) conf_parser_alloc ( sizeof( struct yyguts_t ), NULL );
+    *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL );
 
     if (*ptr_yy_globals == NULL){
         errno = ENOMEM;
@@ -2558,39 +2747,37 @@ int conf_parser_lex_init(yyscan_t* ptr_yy_globals)
     return yy_init_globals ( *ptr_yy_globals );
 }
 
-/* conf_parser_lex_init_extra has the same functionality as conf_parser_lex_init, but follows the
+/* yylex_init_extra has the same functionality as yylex_init, but follows the
  * convention of taking the scanner as the last argument. Note however, that
  * this is a *pointer* to a scanner, as it will be allocated by this call (and
  * is the reason, too, why this function also must handle its own declaration).
- * The user defined value in the first argument will be available to conf_parser_alloc in
+ * The user defined value in the first argument will be available to yyalloc in
  * the yyextra field.
  */
-
-int conf_parser_lex_init_extra(YY_EXTRA_TYPE yy_user_defined,yyscan_t* ptr_yy_globals )
-
+int yylex_init_extra( YY_EXTRA_TYPE yy_user_defined, yyscan_t* ptr_yy_globals )
 {
     struct yyguts_t dummy_yyguts;
 
-    conf_parser_set_extra (yy_user_defined, &dummy_yyguts);
+    yyset_extra (yy_user_defined, &dummy_yyguts);
 
     if (ptr_yy_globals == NULL){
         errno = EINVAL;
         return 1;
     }
-	
-    *ptr_yy_globals = (yyscan_t) conf_parser_alloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
-	
+
+    *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
+
     if (*ptr_yy_globals == NULL){
         errno = ENOMEM;
         return 1;
     }
-    
+
     /* By setting to 0xAA, we expose bugs in
     yy_init_globals. Leave at 0x00 for releases. */
     memset(*ptr_yy_globals,0x00,sizeof(struct yyguts_t));
-    
-    conf_parser_set_extra (yy_user_defined, *ptr_yy_globals);
-    
+
+    yyset_extra (yy_user_defined, *ptr_yy_globals);
+
     return yy_init_globals ( *ptr_yy_globals );
 }
 
@@ -2601,13 +2788,13 @@ static int yy_init_globals (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
     /* Initialization is the same as for the non-reentrant scanner.
-     * This function is called from conf_parser_lex_destroy(), so don't allocate here.
+     * This function is called from yylex_destroy(), so don't allocate here.
      */
 
-    yyg->yy_buffer_stack = 0;
+    yyg->yy_buffer_stack = NULL;
     yyg->yy_buffer_stack_top = 0;
     yyg->yy_buffer_stack_max = 0;
-    yyg->yy_c_buf_p = (char *) 0;
+    yyg->yy_c_buf_p = NULL;
     yyg->yy_init = 0;
     yyg->yy_start = 0;
 
@@ -2620,45 +2807,45 @@ static int yy_init_globals (yyscan_t yyscanner)
     yyin = stdin;
     yyout = stdout;
 #else
-    yyin = (FILE *) 0;
-    yyout = (FILE *) 0;
+    yyin = NULL;
+    yyout = NULL;
 #endif
 
     /* For future reference: Set errno on error, since we are called by
-     * conf_parser_lex_init()
+     * yylex_init()
      */
     return 0;
 }
 /* %endif */
 
 /* %if-c-only SNIP! this currently causes conflicts with the c++ scanner */
-/* conf_parser_lex_destroy is for both reentrant and non-reentrant scanners. */
-int conf_parser_lex_destroy  (yyscan_t yyscanner)
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (yyscan_t yyscanner)
 {
     struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 
     /* Pop the buffer stack, destroying each element. */
 	while(YY_CURRENT_BUFFER){
-		conf_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner );
+		yy_delete_buffer( YY_CURRENT_BUFFER , yyscanner );
 		YY_CURRENT_BUFFER_LVALUE = NULL;
-		conf_parser_pop_buffer_state(yyscanner);
+		yypop_buffer_state(yyscanner);
 	}
 
 	/* Destroy the stack itself. */
-	conf_parser_free(yyg->yy_buffer_stack ,yyscanner);
+	yyfree(yyg->yy_buffer_stack , yyscanner);
 	yyg->yy_buffer_stack = NULL;
 
     /* Destroy the start condition stack. */
-        conf_parser_free(yyg->yy_start_stack ,yyscanner );
+        yyfree( yyg->yy_start_stack , yyscanner );
         yyg->yy_start_stack = NULL;
 
     /* Reset the globals. This is important in a non-reentrant scanner so the next time
-     * conf_parser_lex() is called, initialization will occur. */
+     * yylex() is called, initialization will occur. */
     yy_init_globals( yyscanner);
 
 /* %if-reentrant */
     /* Destroy the main struct (reentrant only). */
-    conf_parser_free ( yyscanner , yyscanner );
+    yyfree ( yyscanner , yyscanner );
     yyscanner = NULL;
 /* %endif */
     return 0;
@@ -2670,7 +2857,7 @@ int conf_parser_lex_destroy  (yyscan_t yyscanner)
  */
 
 #ifndef yytext_ptr
-static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yyscanner)
+static void yy_flex_strncpy (char* s1, const char * s2, int n , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
@@ -2682,7 +2869,7 @@ static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yysca
 #endif
 
 #ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
+static int yy_flex_strlen (const char * s , yyscan_t yyscanner)
 {
 	int n;
 	for ( n = 0; s[n]; ++n )
@@ -2692,14 +2879,14 @@ static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
 }
 #endif
 
-void *conf_parser_alloc (yy_size_t  size , yyscan_t yyscanner)
+void *yyalloc (yy_size_t  size , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
-	return (void *) malloc( size );
+	return malloc(size);
 }
 
-void *conf_parser_realloc  (void * ptr, yy_size_t  size , yyscan_t yyscanner)
+void *yyrealloc  (void * ptr, yy_size_t  size , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
@@ -2711,14 +2898,14 @@ void *conf_parser_realloc  (void * ptr, yy_size_t  size , yyscan_t yyscanner)
 	 * any pointer type to void*, and deal with argument conversions
 	 * as though doing an assignment.
 	 */
-	return (void *) realloc( (char *) ptr, size );
+	return realloc(ptr, size);
 }
 
-void conf_parser_free (void * ptr , yyscan_t yyscanner)
+void yyfree (void * ptr , yyscan_t yyscanner)
 {
 	struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
 	(void)yyg;
-	free( (char *) ptr );	/* see conf_parser_realloc() for (char *) cast */
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
 }
 
 /* %if-tables-serialization definitions */
@@ -2728,8 +2915,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner)
 
 /* %ok-for-header */
 
-#line 163 "parser/lexer.l"
-
+#line 168 "parser/lexer.l"
 
 
 /**
diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l
index fb23a0f93..b81d6ce74 100644
--- a/src/starter/parser/lexer.l
+++ b/src/starter/parser/lexer.l
@@ -33,6 +33,11 @@ static void include_files(parser_helper_t *ctx);
 /* do not declare unneeded functions */
 %option noinput noyywrap
 
+/* do not include unistd.h as it might conflict with our scanner states */
+%option nounistd
+/* due to that disable interactive mode, which requires isatty() */
+%option never-interactive
+
 /* don't use global variables, and interact properly with bison */
 %option reentrant bison-bridge
 
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index 17a3663fe..33d735164 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -1,4 +1,4 @@
-/* C code produced by gperf version 3.0.4 */
+/* ANSI-C code produced by gperf version 3.1 */
 /* Command-line: /usr/bin/gperf -m 10 -D -C -G -t  */
 /* Computed positions: -k'1,5,7' */
 
@@ -26,7 +26,7 @@
       && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
       && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
 /* The character set is not based on ISO-646.  */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gperf@gnu.org>."
 #endif
 
 
@@ -69,9 +69,7 @@ inline
 #endif
 #endif
 static unsigned int
-hash (str, len)
-     register const char *str;
-     register unsigned int len;
+hash (register const char *str, register size_t len)
 {
   static const unsigned char asso_values[] =
     {
@@ -102,7 +100,7 @@ hash (str, len)
       60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
       60, 60, 60, 60, 60, 60
     };
-  register int hval = len;
+  register unsigned int hval = len;
 
   switch (hval)
     {
@@ -175,7 +173,7 @@ static const struct stroke_token wordlist[] =
     {"resetcounters",   STROKE_COUNTERS_RESET}
   };
 
-static const short lookup[] =
+static const signed char lookup[] =
   {
     -1, -1, -1,  0,  1,  2, -1,  3, -1,  4, -1,  5,  6,  7,
      8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
@@ -184,22 +182,14 @@ static const short lookup[] =
     -1, 46, -1, 47
   };
 
-#ifdef __GNUC__
-__inline
-#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
 const struct stroke_token *
-in_word_set (str, len)
-     register const char *str;
-     register unsigned int len;
+in_word_set (register const char *str, register size_t len)
 {
   if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
     {
-      register int key = hash (str, len);
+      register unsigned int key = hash (str, len);
 
-      if (key <= MAX_HASH_VALUE && key >= 0)
+      if (key <= MAX_HASH_VALUE)
         {
           register int index = lookup[key];
 
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 4e0b66b3d..fa86ccb47 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -74,6 +74,6 @@ typedef enum {
 typedef struct stroke_token stroke_token_t;
 
 extern const stroke_token_t* in_word_set(register const char *str,
-										 register unsigned len);
+										 register size_t len);
 
 #endif /* _STROKE_KEYWORDS_H_ */
diff --git a/src/sw-collector/sw-collector.c b/src/sw-collector/sw-collector.c
index f8229a192..5453eeb60 100644
--- a/src/sw-collector/sw-collector.c
+++ b/src/sw-collector/sw-collector.c
@@ -27,7 +27,7 @@
 #include "sw_collector_history.h"
 #include "sw_collector_rest_api.h"
 #include "sw_collector_dpkg.h"
-#
+
 #include <library.h>
 #include <utils/debug.h>
 #include <utils/lexparser.h>
@@ -165,7 +165,6 @@ static collector_op_t do_args(int argc, char *argv[], bool *full_tags,
 			case 'h':
 				usage();
 				exit(SUCCESS);
-				break;
 			case 'C':
 				op = COLLECTOR_OP_CHECK;
 				continue;
diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c
index 26f043a6a..d0032467a 100644
--- a/src/swanctl/commands/load_all.c
+++ b/src/swanctl/commands/load_all.c
@@ -31,7 +31,7 @@ static int load_all(vici_conn_t *conn)
 	bool clear = FALSE, noprompt = FALSE;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg, *file = SWANCTL_CONF;
+	char *arg, *file = NULL;
 	int ret = 0;
 
 	while (TRUE)
@@ -63,10 +63,9 @@ static int load_all(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(file);
+	cfg = load_swanctl_conf(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index 61682a386..a4e1f46d3 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -55,8 +55,9 @@ static bool add_file_key_value(vici_req_t *req, char *key, char *value)
 	else
 	{
 		path = buf;
-		snprintf(path, PATH_MAX, "%s%s%s",
-				 SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, value);
+		snprintf(path, PATH_MAX, "%s%s%s%s%s", swanctl_dir,
+				 DIRECTORY_SEPARATOR, SWANCTL_X509CADIR,
+				 DIRECTORY_SEPARATOR, value);
 	}
 	map = chunk_map(path, FALSE);
 
@@ -83,7 +84,6 @@ static bool add_key_values(vici_req_t *req, enumerator_t *enumerator)
 	char *key, *value;
 	bool ret = TRUE;
 
-
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		if (streq(key, "cacert"))
@@ -310,7 +310,7 @@ static int load_authorities(vici_conn_t *conn)
 {
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg, *file = SWANCTL_CONF;
+	char *arg, *file = NULL;
 	int ret;
 
 	while (TRUE)
@@ -336,10 +336,9 @@ static int load_authorities(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(file);
+	cfg = load_swanctl_conf(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index dad03945d..de23816fb 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -120,20 +120,23 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value)
 			{
 				if (streq(key, "certs"))
 				{
-					snprintf(buf, sizeof(buf), "%s%s%s",
-							 SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
+					snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir,
+							 DIRECTORY_SEPARATOR, SWANCTL_X509DIR,
+							 DIRECTORY_SEPARATOR, token);
 					token = buf;
 				}
 				else if (streq(key, "cacerts"))
 				{
-					snprintf(buf, sizeof(buf), "%s%s%s",
-							 SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
+					snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir,
+							 DIRECTORY_SEPARATOR, SWANCTL_X509CADIR,
+							 DIRECTORY_SEPARATOR, token);
 					token = buf;
 				}
 				else if (streq(key, "pubkeys"))
 				{
-					snprintf(buf, sizeof(buf), "%s%s%s",
-							 SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
+					snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir,
+							 DIRECTORY_SEPARATOR, SWANCTL_PUBKEYDIR,
+							 DIRECTORY_SEPARATOR, token);
 					token = buf;
 				}
 			}
@@ -425,7 +428,7 @@ static int load_conns(vici_conn_t *conn)
 {
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg, *file = SWANCTL_CONF;
+	char *arg, *file = NULL;
 	int ret;
 
 	while (TRUE)
@@ -451,10 +454,9 @@ static int load_conns(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(file);
+	cfg = load_swanctl_conf(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index a9e352f7e..9a38b5d1e 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -106,10 +106,13 @@ static void load_certs(load_ctx_t *ctx, char *type_str, char *dir)
 	x509_flag_t flag;
 	struct stat st;
 	chunk_t *map;
-	char *path;
+	char *path, buf[PATH_MAX];
 
 	vici_cert_info_from_str(type_str, &type, &flag);
 
+	snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir);
+	dir = buf;
+
 	enumerator = enumerator_create_directory(dir);
 	if (enumerator)
 	{
@@ -428,7 +431,10 @@ static void load_keys(load_ctx_t *ctx, char *type, char *dir)
 	enumerator_t *enumerator;
 	struct stat st;
 	chunk_t *map;
-	char *path, *rel;
+	char *path, *rel, buf[PATH_MAX];
+
+	snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir);
+	dir = buf;
 
 	enumerator = enumerator_create_directory(dir);
 	if (enumerator)
@@ -535,7 +541,10 @@ static void load_containers(load_ctx_t *ctx, char *type, char *dir)
 	enumerator_t *enumerator;
 	struct stat st;
 	chunk_t *map;
-	char *path, *rel;
+	char *path, *rel, buf[PATH_MAX];
+
+	snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir);
+	dir = buf;
 
 	enumerator = enumerator_create_directory(dir);
 	if (enumerator)
@@ -946,7 +955,7 @@ static int load_creds(vici_conn_t *conn)
 	bool clear = FALSE, noprompt = FALSE;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg, *file = SWANCTL_CONF;
+	char *arg, *file = NULL;
 	int ret;
 
 	while (TRUE)
@@ -978,10 +987,9 @@ static int load_creds(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(file);
+	cfg = load_swanctl_conf(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index ec9508efb..0ff6827e1 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -251,7 +251,7 @@ static int load_pools(vici_conn_t *conn)
 {
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg, *file = SWANCTL_CONF;
+	char *arg, *file = NULL;
 	int ret;
 
 	while (TRUE)
@@ -277,10 +277,9 @@ static int load_pools(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(file);
+	cfg = load_swanctl_conf(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c
index f44ecaa3c..65a402029 100644
--- a/src/swanctl/commands/rekey.c
+++ b/src/swanctl/commands/rekey.c
@@ -118,7 +118,7 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		rekey, 'R', "rekey", "rekey an SA",
-		{"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
+		{"--child <name> | --ike <name> | --child-id <id> | --ike-id <id>",
 		 "[--reauth] [--raw|--pretty]"},
 		{
 			{"help",		'h', 0, "show usage information"},
diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
index bce404a54..2309843b2 100644
--- a/src/swanctl/commands/terminate.c
+++ b/src/swanctl/commands/terminate.c
@@ -150,7 +150,7 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		terminate, 't', "terminate", "terminate a connection",
-		{"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
+		{"--child <name> | --ike <name> | --child-id <id> | --ike-id <id>",
 		 "[--timeout <s>] [--raw|--pretty]"},
 		{
 			{"help",		'h', 0, "show usage information"},
diff --git a/src/swanctl/swanctl.c b/src/swanctl/swanctl.c
index dc5af79a7..cfc82f9d7 100644
--- a/src/swanctl/swanctl.c
+++ b/src/swanctl/swanctl.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -13,17 +16,55 @@
  * for more details.
  */
 
+#include "swanctl.h"
 #include "command.h"
 
 #include <unistd.h>
 
 #include <library.h>
 
+/*
+ * Described in header
+ */
+char *swanctl_dir;
+
+/*
+ * Described in header
+ */
+settings_t *load_swanctl_conf(char *file)
+{
+	settings_t *cfg;
+	char buf[PATH_MAX];
+
+	if (!file)
+	{
+		if (!strlen(swanctl_dir))
+		{
+			free(swanctl_dir);
+			swanctl_dir = strdup(getcwd(buf, sizeof(buf)));
+		}
+		file = buf;
+		snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir,
+				 DIRECTORY_SEPARATOR, SWANCTL_CONF);
+	}
+
+	cfg = settings_create(file);
+	if (!cfg)
+	{
+		fprintf(stderr, "parsing '%s' failed\n", file);
+		return NULL;
+	}
+	free(swanctl_dir);
+	swanctl_dir = path_dirname(file);
+	return cfg;
+}
+
 /**
  * Cleanup library atexit()
  */
 static void cleanup()
 {
+	free(swanctl_dir);
 	lib->processor->cancel(lib->processor);
 	library_deinit();
 }
@@ -49,6 +90,9 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
+
+	swanctl_dir = strdup(getenv("SWANCTL_DIR") ?: SWANCTLDIR);
+
 	dbg_default_set_level(0);
 	lib->processor->set_threads(lib->processor, 4);
 	dbg_default_set_level(1);
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index eac1fc6d0..f0c334f7e 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -1,11 +1,11 @@
 /*
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2018 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -25,74 +25,90 @@
 #ifndef SWANCTL_H_
 #define SWANCTL_H_
 
+#include <settings/settings.h>
+
+/**
+ * Base directory for credentials and config
+ */
+char *swanctl_dir;
+
 /**
  * Configuration file for connections, etc.
  */
-#define SWANCTL_CONF SWANCTLDIR "/swanctl.conf"
+#define SWANCTL_CONF "swanctl.conf"
 
 /**
  * Directory for X.509 end entity certs
  */
-#define SWANCTL_X509DIR SWANCTLDIR "/x509"
+#define SWANCTL_X509DIR "x509"
 
 /**
  * Directory for X.509 CA certs
  */
-#define SWANCTL_X509CADIR SWANCTLDIR "/x509ca"
+#define SWANCTL_X509CADIR "x509ca"
 
 /**
  * Directory for X.509 Attribute Authority certs
  */
-#define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
+#define SWANCTL_X509AADIR "x509aa"
 
 /**
  * Directory for X.509 OCSP Signer certs
  */
-#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
+#define SWANCTL_X509OCSPDIR "x509ocsp"
 
 /**
  * Directory for X.509 CRLs
  */
-#define SWANCTL_X509CRLDIR SWANCTLDIR "/x509crl"
+#define SWANCTL_X509CRLDIR "x509crl"
 
 /**
  * Directory for X.509 Attribute certificates
  */
-#define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
+#define SWANCTL_X509ACDIR "x509ac"
 
 /**
  * Directory for raw public keys
  */
-#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
+#define SWANCTL_PUBKEYDIR "pubkey"
 
 /**
  * Directory for private keys
  */
-#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
+#define SWANCTL_PRIVATEDIR "private"
 
 /**
  * Directory for RSA private keys
  */
-#define SWANCTL_RSADIR SWANCTLDIR "/rsa"
+#define SWANCTL_RSADIR "rsa"
 
 /**
  * Directory for ECDSA private keys
  */
-#define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
+#define SWANCTL_ECDSADIR "ecdsa"
 
 /**
  * Directory for BLISS private keys
  */
-#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
+#define SWANCTL_BLISSDIR "bliss"
 
 /**
  * Directory for PKCS#8 encoded private keys
  */
-#define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"
+#define SWANCTL_PKCS8DIR "pkcs8"
 
 /**
  * Directory for PKCS#12 containers
  */
-#define SWANCTL_PKCS12DIR SWANCTLDIR "/pkcs12"
+#define SWANCTL_PKCS12DIR "pkcs12"
+
+/**
+ * Load swanctl.conf, optionally from a custom path. Sets the base dir relative
+ * to that file.
+ *
+ * @param file		optional custom path to swanctl.conf, NULL to use default
+ * @return			settings, or NULL if loading failed
+ */
+settings_t *load_swanctl_conf(char *file);
 
 #endif /** SWANCTL_H_ @}*/
diff --git a/testing/config/kernel/config-4.19 b/testing/config/kernel/config-4.19
new file mode 100644
index 000000000..79cf9e71e
--- /dev/null
+++ b/testing/config/kernel/config-4.19
@@ -0,0 +1,2690 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.19.0 Kernel Configuration
+#
+
+#
+# Compiler: gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
+#
+CONFIG_CC_IS_GCC=y
+CONFIG_GCC_VERSION=70300
+CONFIG_CLANG_VERSION=0
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+CONFIG_THREAD_INFO_IN_TASK=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_BUILD_SALT=""
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
+CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+CONFIG_TINY_SRCU=y
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+CONFIG_FHANDLE=y
+CONFIG_POSIX_TIMERS=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_FUTEX_PI=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_MEMBARRIER=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+# CONFIG_BPF_SYSCALL is not set
+# CONFIG_USERFAULTFD is not set
+CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
+CONFIG_RSEQ=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+CONFIG_SLAB_MERGE_DEFAULT=y
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_PROFILING is not set
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_FILTER_PGPROT=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+CONFIG_RETPOLINE=y
+# CONFIG_INTEL_RDT is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_NR_CPUS_RANGE_BEGIN=1
+CONFIG_NR_CPUS_RANGE_END=1
+CONFIG_NR_CPUS_DEFAULT=1
+CONFIG_NR_CPUS=1
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+# CONFIG_X86_5LEVEL is not set
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
+# CONFIG_AMD_MEM_ENCRYPT is not set
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+CONFIG_X86_INTEL_UMIP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_HAS_ADD_PAGES=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_PM_CLK=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ARCH_SUPPORTS_ACPI=y
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SPCR_TABLE=y
+CONFIG_ACPI_LPIT=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_TAD is not set
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_ACPI_CONFIGFS is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_PCI_LOCKLESS_CONFIG=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI controller drivers
+#
+
+#
+# Cadence PCIe controllers support
+#
+# CONFIG_VMD is not set
+
+#
+# DesignWare PCI Core Support
+#
+# CONFIG_PCIE_DW_PLAT_HOST is not set
+
+#
+# PCI Endpoint
+#
+# CONFIG_PCI_ENDPOINT is not set
+
+#
+# PCI switch controller drivers
+#
+# CONFIG_PCI_SW_SWITCHTEC is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Binary Emulations
+#
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_HAVE_GENERIC_GUP=y
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# Tegra firmware driver
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+
+#
+# General architecture-dependent options
+#
+CONFIG_CRASH_CORE=y
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
+CONFIG_ARCH_HAS_SET_MEMORY=y
+CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_RSEQ=y
+CONFIG_HAVE_CLK=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_STACKPROTECTOR=y
+CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+CONFIG_HAVE_RELIABLE_STACKTRACE=y
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+CONFIG_VMAP_STACK=y
+CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
+CONFIG_ARCH_HAS_REFCOUNT=y
+# CONFIG_REFCOUNT_FULL is not set
+CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+CONFIG_PLUGIN_HOSTCC=""
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_ZONED is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+# CONFIG_BLK_WBT is not set
+# CONFIG_BLK_CGROUP_IOLATENCY is not set
+# CONFIG_BLK_SED_OPAL is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_BLK_MQ_PCI=y
+CONFIG_BLK_MQ_VIRTIO=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_MQ_IOSCHED_DEADLINE=y
+CONFIG_MQ_IOSCHED_KYBER=y
+# CONFIG_IOSCHED_BFQ is not set
+CONFIG_ASN1=y
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y
+CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y
+CONFIG_FREEZER=y
+
+#
+# Executable file formats
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+
+#
+# Memory Management options
+#
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_ARCH_WANTS_THP_SWAP=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ARCH_HAS_ZONE_DEVICE=y
+# CONFIG_ZONE_DEVICE is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_PERCPU_STATS is not set
+# CONFIG_GUP_BENCHMARK is not set
+CONFIG_ARCH_HAS_PTE_SPECIAL=y
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_TLS=y
+# CONFIG_TLS_DEVICE is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+# CONFIG_XFRM_INTERFACE is not set
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+CONFIG_NET_IPGRE_DEMUX=y
+CONFIG_NET_IP_TUNNEL=y
+CONFIG_NET_IPGRE=y
+# CONFIG_SYN_COOKIES is not set
+CONFIG_NET_IPVTI=y
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_NET_FOU_IP_TUNNELS is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+# CONFIG_INET_ESP_OFFLOAD is not set
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_RAW_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+# CONFIG_INET6_ESP_OFFLOAD is not set
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+CONFIG_IPV6_VTI=y
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_IPV6_SEG6_LWTUNNEL is not set
+# CONFIG_IPV6_SEG6_HMAC is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_FAMILY_ARP=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+# CONFIG_NETFILTER_NETLINK_OSF is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+# CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NETFILTER_CONNCOUNT=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CONNTRACK_LABELS is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_IPMAC is not set
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+# CONFIG_NF_SOCKET_IPV4 is not set
+# CONFIG_NF_TPROXY_IPV4 is not set
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+# CONFIG_NF_SOCKET_IPV6 is not set
+# CONFIG_NF_TPROXY_IPV6 is not set
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+# CONFIG_IP6_NF_MATCH_SRH is not set
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_IP6_NF_NAT=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+CONFIG_NF_DEFRAG_IPV6=y
+# CONFIG_BPFILTER is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+CONFIG_DNS_RESOLVER=y
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_NET_NSH is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+CONFIG_STREAM_PARSER=y
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_PSAMPLE is not set
+# CONFIG_NET_IFE is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+CONFIG_GRO_CELLS=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_FAILOVER=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+
+#
+# Firmware loader
+#
+CONFIG_FW_LOADER=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_GNSS is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_VIRTIO_BLK_SCSI is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# NVME Support
+#
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_NVME_FC is not set
+
+#
+# Misc devices
+#
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_PCI_ENDPOINT_TEST is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module (requires I2C)
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC & related support
+#
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_MISC_RTSX_PCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_TARGET_CORE is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+CONFIG_MACSEC=y
+# CONFIG_NETCONSOLE is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALACRITECH=y
+# CONFIG_SLICOSS is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMAZON=y
+# CONFIG_ENA_ETHERNET is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_AMD_XGBE is not set
+CONFIG_NET_VENDOR_AQUANTIA=y
+# CONFIG_AQTION is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_SYSTEMPORT is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_THUNDER_NIC_RGX is not set
+CONFIG_CAVIUM_PTP=y
+# CONFIG_LIQUIDIO is not set
+# CONFIG_LIQUIDIO_VF is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+CONFIG_NET_VENDOR_CORTINA=y
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_HUAWEI=y
+# CONFIG_HINIC is not set
+CONFIG_NET_VENDOR_I825XX=y
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_ICE is not set
+# CONFIG_FM10K is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+# CONFIG_MLXFW is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MICROSEMI=y
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETERION=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP is not set
+CONFIG_NET_VENDOR_NI=y
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_VENDOR_PACKET_ENGINES=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+# CONFIG_QCOM_EMAC is not set
+# CONFIG_RMNET is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SOLARFLARE=y
+# CONFIG_SFC is not set
+# CONFIG_SFC_FALCON is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_SOCIONEXT=y
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+# CONFIG_DWC_XLGMAC is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_MDIO_DEVICE is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+CONFIG_WLAN_VENDOR_QUANTENNA=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+CONFIG_NET_FAILOVER=y
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_SAMSUNG is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+# CONFIG_SERIAL_DEV_BUS is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+# CONFIG_RANDOM_TRUST_CPU is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+# CONFIG_PPS is not set
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PINCTRL is not set
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+# CONFIG_POWER_AVS is not set
+# CONFIG_POWER_RESET is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_ASPEED is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NPCM7XX is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+# CONFIG_THERMAL_STATISTICS is not set
+CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_MFD_MADERA is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+CONFIG_RC_CORE=y
+CONFIG_RC_MAP=y
+# CONFIG_LIRC is not set
+CONFIG_RC_DECODERS=y
+CONFIG_IR_NEC_DECODER=y
+CONFIG_IR_RC5_DECODER=y
+CONFIG_IR_RC6_DECODER=y
+CONFIG_IR_JVC_DECODER=y
+CONFIG_IR_SONY_DECODER=y
+CONFIG_IR_SANYO_DECODER=y
+CONFIG_IR_SHARP_DECODER=y
+CONFIG_IR_MCE_KBD_DECODER=y
+CONFIG_IR_XMP_DECODER=y
+# CONFIG_IR_IMON_DECODER is not set
+# CONFIG_RC_DEVICES is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_DRM_DP_CEC is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# AMD Library routines
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SND is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_COUGAR is not set
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+CONFIG_HID_ITE=y
+# CONFIG_HID_JABRA is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+# CONFIG_HID_MAYFLASH is not set
+CONFIG_HID_REDRAGON=y
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_NTI is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEAM is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_UDRAW_PS3 is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+
+#
+# Intel ISH HID support
+#
+# CONFIG_INTEL_ISH_HID is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+CONFIG_USB_PCI=y
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_TYPEC is not set
+# CONFIG_USB_ULPI_BUS is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACER_WIRELESS is not set
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMBIOS is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_GPD_POCKET_FAN is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_VBTN is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+CONFIG_PMC_ATOM=y
+# CONFIG_CHROME_PLATFORMS is not set
+# CONFIG_MELLANOX_PLATFORM is not set
+CONFIG_CLKDEV_LOOKUP=y
+CONFIG_HAVE_CLK_PREPARE=y
+CONFIG_COMMON_CLK=y
+
+#
+# Common Clock Framework
+#
+# CONFIG_HWSPINLOCK is not set
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_REMOTEPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_RPMSG_VIRTIO is not set
+# CONFIG_SOUNDWIRE is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Amlogic SoC drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+
+#
+# NXP/Freescale QorIQ SoC drivers
+#
+
+#
+# i.MX SoC drivers
+#
+
+#
+# Qualcomm SoC drivers
+#
+# CONFIG_SOC_TI is not set
+
+#
+# Xilinx SoC drivers
+#
+# CONFIG_XILINX_VCU is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+
+#
+# IRQ chip support
+#
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_DAX is not set
+# CONFIG_NVMEM is not set
+
+#
+# HW tracing support
+#
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+# CONFIG_FPGA is not set
+# CONFIG_UNISYS_VISORBUS is not set
+# CONFIG_SIOX is not set
+# CONFIG_SLIMBUS is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_FS_IOMAP=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_AUTOFS_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+CONFIG_MEMFD_CREATE=y
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_ECRYPT_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Security options
+#
+CONFIG_KEYS=y
+# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_BIG_KEYS is not set
+# CONFIG_ENCRYPTED_KEYS is not set
+# CONFIG_KEY_DH_OPERATIONS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+# CONFIG_HARDENED_USERCOPY is not set
+# CONFIG_FORTIFY_SOURCE is not set
+# CONFIG_STATIC_USERMODEHELPER is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_ECDH=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_MCRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_SIMD=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+# CONFIG_CRYPTO_AEGIS128 is not set
+# CONFIG_CRYPTO_AEGIS128L is not set
+# CONFIG_CRYPTO_AEGIS256 is not set
+# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_AEGIS256_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_MORUS640 is not set
+# CONFIG_CRYPTO_MORUS640_SSE2 is not set
+# CONFIG_CRYPTO_MORUS1280 is not set
+# CONFIG_CRYPTO_MORUS1280_SSE2 is not set
+# CONFIG_CRYPTO_MORUS1280_AVX2 is not set
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+# CONFIG_CRYPTO_CFB is not set
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256_MB=y
+CONFIG_CRYPTO_SHA512_MB=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_SM3=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_TI is not set
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_SM4=y
+# CONFIG_CRYPTO_SPECK is not set
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+# CONFIG_CRYPTO_ZSTD is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+CONFIG_CRYPTO_HASH_INFO=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+
+#
+# Certificates for signature checking
+#
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
+# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_RATIONAL=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+# CONFIG_CRC64 is not set
+# CONFIG_CRC4 is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DMA_DIRECT_OPS=y
+CONFIG_SWIOTLB=y
+CONFIG_SGL_ALLOC=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+CONFIG_MPILIB=y
+CONFIG_OID_REGISTRY=y
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
+CONFIG_SBITMAP=y
+# CONFIG_STRING_SELFTEST is not set
+
+#
+# Kernel hacking
+#
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
+CONFIG_CONSOLE_LOGLEVEL_QUIET=4
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_STACK_VALIDATION=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+CONFIG_CC_HAS_SANCOV_TRACE_PC=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_SOFTLOCKUP_DETECTOR is not set
+CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+CONFIG_LOCK_DEBUGGING_SUPPORT=y
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_WW_MUTEX_SELFTEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_PREEMPTIRQ_EVENTS is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_HWLAT_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+CONFIG_RUNTIME_TESTING_MENU=y
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_TEST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_INTERVAL_TREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_BITFIELD is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_OVERFLOW is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_TEST_IDA is not set
+# CONFIG_FIND_BIT_BENCHMARK is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_SYSCTL is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_EARLY_PRINTK_USB_XDBC is not set
+# CONFIG_X86_PTDUMP is not set
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+CONFIG_UNWINDER_ORC=y
+# CONFIG_UNWINDER_FRAME_POINTER is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
index 0bf1eb596..c8ff289db 100644
--- a/testing/config/kvm/alice.xml
+++ b/testing/config/kvm/alice.xml
@@ -1,13 +1,13 @@
 <domain type='kvm'>
   <name>alice</name>
   <uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
-  <memory unit='KiB'>131072</memory>
-  <currentMemory unit='KiB'>131072</currentMemory>
+  <memory unit='KiB'>163840</memory>
+  <currentMemory unit='KiB'>163840</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <features>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
index f2425b222..0b433a437 100644
--- a/testing/config/kvm/bob.xml
+++ b/testing/config/kvm/bob.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <features>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
index 51a7d8336..3eb163f6c 100644
--- a/testing/config/kvm/carol.xml
+++ b/testing/config/kvm/carol.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <features>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
index 9e26b9629..d8d05a9e9 100644
--- a/testing/config/kvm/dave.xml
+++ b/testing/config/kvm/dave.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <features>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
index 954af7aa1..943ab35b5 100644
--- a/testing/config/kvm/moon.xml
+++ b/testing/config/kvm/moon.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <cpu>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
index c2d26737c..893a4aa37 100644
--- a/testing/config/kvm/sun.xml
+++ b/testing/config/kvm/sun.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <cpu>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
index acc0d361a..a0b60171b 100644
--- a/testing/config/kvm/venus.xml
+++ b/testing/config/kvm/venus.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <features>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
index b21cb7b08..59d7184f6 100644
--- a/testing/config/kvm/winnetou.xml
+++ b/testing/config/kvm/winnetou.xml
@@ -7,7 +7,7 @@
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>
 	<kernel>/var/run/kvm-swan-kernel</kernel>
-    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+    <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
     <boot dev='hd'/>
   </os>
   <features>
diff --git a/testing/do-tests b/testing/do-tests
index 52d0d70eb..fad3af8cd 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -51,11 +51,15 @@ subdir_cnt="0"
 ##############################################################################
 # parse optional arguments
 #
-while getopts "v" opt
+while getopts "vt" opt
 do
 	case "$opt" in
 	v)
 		verbose=YES
+		timestamps=YES
+		;;
+	t)
+		timestamps=YES
 		;;
 	esac
 done
@@ -64,7 +68,7 @@ shift $((OPTIND-1))
 
 function print_time()
 {
-	[ "$verbose" == "YES" ] && echo "$(date +%T.%N) ~ "
+	[ "$timestamps" == "YES" ] && echo "$(date +%T.%N) ~ "
 }
 
 ##############################################################################
@@ -689,21 +693,25 @@ do
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
 
-	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
+		RADIUS_DIR=/etc/freeradius/3.0
+		RADIUS_EAP_FILE=mods-enabled/eap
+		RADIUS_EAP_NAME=eap
+		if [ "$BASEIMGSUITE" == "jessie" ]
+		then
+			RADIUS_DIR=/etc/freeradius
+			RADIUS_EAP_FILE=eap.conf
+			RADIUS_EAP_NAME=eap.conf
+		fi
+
+		for file in clients.conf radiusd.conf proxy.conf users sites-enabled/default sites-enabled/inner-tunnel $RADIUS_EAP_FILE
 	    do
-		scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \
-		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+		scp $SSHCONF $HOSTLOGIN:$RADIUS_DIR/$file \
+		    $TESTRESULTDIR/${host}.$(basename $file) > /dev/null 2>&1
 	    done
 
-		scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
-		    $TESTRESULTDIR/${host}.strongswan.conf  > /dev/null 2>&1
-
 	    scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \
 		$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
 
-	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
-		>> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null
-
 	    chmod a+r $TESTRESULTDIR/*
 	    cat >> $TESTRESULTDIR/index.html <<@EOF
     <h3>$host</h3>
@@ -713,14 +721,14 @@ do
 	  <ul>
 	    <li><a href="$host.clients.conf">clients.conf</a></li>
 	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
-	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+	    <li><a href="$host.$RADIUS_EAP_NAME">$RADIUS_EAP_NAME</a></li>
 	  </ul>
 	</td>
 	<td valign="top">
 	  <ul>
-	    <li><a href="$host.eap.conf">eap.conf</a></li>
+	    <li><a href="$host.default">sites-enabled/default</a></li>
+	    <li><a href="$host.inner-tunnel">sites-enabled/inner-tunnel</a></li>
 	    <li><a href="$host.radius.log">radius.log</a></li>
-	    <li><a href="$host.daemon.log">daemon.log</a></li>
 	  </ul>
       </td>
 	<td valign="top">
diff --git a/testing/hosts/alice/etc/freeradius/3.0/clients.conf b/testing/hosts/alice/etc/freeradius/3.0/clients.conf
new file mode 100644
index 000000000..7fad83c33
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/3.0/clients.conf
@@ -0,0 +1,5 @@
+client moon {
+  ipaddr = 10.1.0.1
+  secret = gv6URkSs
+  require_message_authenticator = yes
+}
diff --git a/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf
new file mode 100644
index 000000000..6139bb90f
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf
@@ -0,0 +1,99 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius/3.0
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = freeradius
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${sysconfdir}/raddb/certs
+cadir   = ${sysconfdir}/raddb/certs
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  correct_escapes: use correct backslash escaping
+correct_escapes = true
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Logging section
+log {
+  destination = files
+  colourise = yes
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes
+  auth_badpass = yes
+  auth_goodpass = yes
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  SECURITY CONFIGURATION
+security {
+  user = freerad
+  group = freerad
+  allow_core_dumps = no
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+  auto_limit_acct = no
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/mods-enabled/
+}
+
+# Policies
+policy {
+  $INCLUDE policy.d/
+}
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary
index 59a874b3e..4c2c7ebb4 100644
--- a/testing/hosts/alice/etc/freeradius/dictionary
+++ b/testing/hosts/alice/etc/freeradius/dictionary
@@ -11,7 +11,7 @@
 #
 #	The filename given here should be an absolute path.
 #
-$INCLUDE	/usr/local/share/freeradius/dictionary
+$INCLUDE	/usr/share/freeradius/dictionary
 
 #
 #	Place additional attributes or $INCLUDEs here.  They will
diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf
index e4f721738..bcdc369d2 100644
--- a/testing/hosts/alice/etc/freeradius/radiusd.conf
+++ b/testing/hosts/alice/etc/freeradius/radiusd.conf
@@ -101,8 +101,6 @@ thread pool {
 modules {
   $INCLUDE ${confdir}/modules/
   $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
 }
 
 # Instantiation
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
index 46b1f0231..cc6f43541 100644
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -1,7 +1,7 @@
 Port 22
 Protocol 2
+Ciphers aes128-gcm@openssh.com
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 UsePrivilegeSeparation no
 PermitRootLogin yes
diff --git a/testing/hosts/default/usr/local/bin/init_collector b/testing/hosts/default/usr/local/bin/init_collector
index c522de874..df1462862 100755
--- a/testing/hosts/default/usr/local/bin/init_collector
+++ b/testing/hosts/default/usr/local/bin/init_collector
@@ -1,4 +1,6 @@
 #! /bin/sh
 
 cat /usr/local/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/db.d/collector.db
+sed -i "s:DEBIAN_VERSION:`cat /etc/debian_version`:" /etc/pts/collector.sql
+cat /etc/pts/collector.sql | sqlite3 /etc/db.d/collector.db
 LEAK_DETECTIVE_DISABLE=1 /usr/local/sbin/sw-collector
diff --git a/testing/hosts/venus/etc/default/isc-dhcp-server b/testing/hosts/venus/etc/default/isc-dhcp-server
new file mode 100644
index 000000000..57a5c81f9
--- /dev/null
+++ b/testing/hosts/venus/etc/default/isc-dhcp-server
@@ -0,0 +1,3 @@
+# explicitly set an interface to avoid having to configure and run DHCPv6
+INTERFACESv4="eth0"
+INTERFACESv6=""
diff --git a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
index 68438a656..e362e138c 100644
--- a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
+++ b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
@@ -2,3 +2,4 @@ AddType text/plain .conf .log .sql .users
 AddType text/plain .secrets .listall .statusall
 AddType text/plain .conns .certs .sas .pools .authorities .stats
 AddType text/plain .policy .state .route .iptables .iptables-save
+AddType text/plain .eap .default .inner-tunnel
diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
deleted file mode 100644
index 68438a656..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
+++ /dev/null
@@ -1,4 +0,0 @@
-AddType text/plain .conf .log .sql .users
-AddType text/plain .secrets .listall .statusall
-AddType text/plain .conns .certs .sas .pools .authorities .stats
-AddType text/plain .policy .state .route .iptables .iptables-save
diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
index 0772c34ea..fb9e98424 100644
--- a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
+++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
@@ -12,13 +12,7 @@ AddHandler cgi-script .cgi
     DirectoryIndex ocsp.cgi
     <Directory "/etc/openssl/ocsp">
         Options  +ExecCGI
-        <IfModule mod_authz_core.c>
-            Require all granted
-        </IfModule>
-        <IfModule !mod_authz_core.c>
-            Order deny,allow
-            Allow from all
-        </IfModule>
+        Require all granted
    </Directory>
    ErrorLog     /var/log/apache2/ocsp/error_log
    CustomLog    /var/log/apache2/ocsp/access_log combined
@@ -34,13 +28,7 @@ Listen 8881
     DirectoryIndex ocsp.cgi
     <Directory "/etc/openssl/research/ocsp">
         Options +ExecCGI
-        <IfModule mod_authz_core.c>
-            Require all granted
-        </IfModule>
-        <IfModule !mod_authz_core.c>
-            Order deny,allow
-            Allow from all
-        </IfModule>
+        Require all granted
    </Directory>
    ErrorLog     /var/log/apache2/ocsp/error_log
    CustomLog    /var/log/apache2/ocsp/access_log combined
@@ -56,13 +44,7 @@ Listen 8882
     DirectoryIndex ocsp.cgi
     <Directory "/etc/openssl/sales/ocsp">
         Options +ExecCGI
-        <IfModule mod_authz_core.c>
-            Require all granted
-        </IfModule>
-        <IfModule !mod_authz_core.c>
-            Order deny,allow
-            Allow from all
-        </IfModule>
+        Require all granted
    </Directory>
    ErrorLog     /var/log/apache2/ocsp/error_log
    CustomLog    /var/log/apache2/ocsp/access_log combined
diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
index 260171cfd..b610836fc 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
 CAHOME			= /etc/openssl/duck
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		  # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default	= Linux strongSwan
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -154,7 +146,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 
 ####################################################################
 
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
index d31752e30..ddd94d061 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
-CAHOME			= /etc/openssl/ecdsa 
+CAHOME			= /etc/openssl/ecdsa
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		     # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default	= Linux strongSwan
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -156,7 +148,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 #authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_ec.crl
 
diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
index 5985b5650..170daba56 100644
--- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
 CAHOME			= /etc/openssl/monster
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		  # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default	= Linux strongSwan
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -156,7 +148,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 #authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan-monster.crl
 
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index 9078b2043..b1ef68a11 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
-CAHOME			= /etc/openssl 
+CAHOME			= /etc/openssl
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		  # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default	= Linux strongSwan
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -157,7 +149,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 #authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
 
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index 7099413f0..f5ae64e36 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
 CAHOME			= /etc/openssl/research
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		  # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default	= Linux strongSwan
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -155,7 +147,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 crlDistributionPoints          	= URI:http://crl.strongswan.org/research.crl
 
 ####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
index 12da734aa..11ff172ac 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
-CAHOME			= /etc/openssl/rfc3779 
+CAHOME			= /etc/openssl/rfc3779
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		  # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -113,12 +105,12 @@ organizationName		= Organization Name (eg, company)
 organizationName_default	= Linux strongSwan
 
 0.organizationalUnitName		= Organizational Unit Name (eg, section)
-0.organizationalUnitName_default	= RFC3779 
+0.organizationalUnitName_default	= RFC3779
 
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -173,7 +165,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 #authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_rfc3779.crl
 
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index f3ec7e168..f1d080c0b 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#	
+# openssl.cnf -  OpenSSL configuration file
+#
 
 # This definitions were set by the ca_init script DO NOT change
 # them manually.
-CAHOME			= /etc/openssl/sales 
+CAHOME			= /etc/openssl/sales
 RANDFILE		= $CAHOME/.rand
 
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-[ new_oids ]
-SmartcardLogin		= 1.3.6.1.4.1.311.20.2
-ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
-
 ####################################################################
 
 [ ca ]
@@ -21,7 +13,7 @@ default_ca	= root_ca		# The default ca section
 
 ####################################################################
 
-[ root_ca ]				
+[ root_ca ]
 
 dir		= $CAHOME
 certs		= $dir/certs		  # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions		= ca_ext	# The extensions to add to the self signed cert
 # req_extensions 	= v3_req 	# The extensions to add to a certificate request
 
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default	= Linux strongSwan
 #1.organizationalUnitName	= Type (eg, Staff)
 #1.organizationalUnitName_default = Staff
 
-#userId				= UID 
+#userId				= UID
 
 commonName			= Common Name (eg, YOUR name)
 commonName_default		= $ENV::COMMON_NAME
@@ -155,7 +147,7 @@ basicConstraints		= CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
-subjectAltName                  = email:$ENV::COMMON_NAME 
+subjectAltName                  = email:$ENV::COMMON_NAME
 crlDistributionPoints          	= URI:http://crl.strongswan.org/sales.crl
 #authorityInfoAccess             = OCSP;URI:http://ocsp2.strongswan.org:8882
 
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 95453d620..7c30758bf 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -12,29 +12,34 @@ running_any $STRONGSWANHOSTS && die "Please stop test environment before running
 check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
 
 # package includes/excludes
-INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less
+INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales
 INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
 INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
 INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev
-INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen
+INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop
 INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev
 INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev
 INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https
-INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
+INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
+INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute
 case "$BASEIMGSUITE" in
-wheezy)
-	INC=$INC,libxerces-c2-dev,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
-	INC=$INC,libalog0.4.1-base-dev
-	;;
 jessie)
-	INC=$INC,libxerces-c-dev,libahven4-dev,libxmlada5-dev,libgmpada5-dev
-	INC=$INC,libalog1-dev,libgcrypt20-dev
+	INC=$INC,libahven4-dev,libxmlada5-dev,libgmpada5-dev
+	INC=$INC,libalog1-dev
+	;;
+stretch)
+	INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev
+	INC=$INC,libalog2-dev
 	;;
 *)
 	echo_warn "Package list for '$BASEIMGSUITE' might has to be updated"
 esac
-SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
+SERVICES="apache2 dbus isc-dhcp-server slapd bind9 freeradius"
 INC=$INC,${SERVICES// /,}
+# packages to install via APT, for SWIMA tests
+APT="tmux"
+# additional services to disable
+SERVICES="$SERVICES systemd-timesyncd.service"
 
 CACHEDIR=$BUILDDIR/cache
 APTCACHE=$LOOPDIR/var/cache/apt/archives
@@ -86,6 +91,13 @@ execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $
 execute "mount -t proc none $LOOPDIR/proc" 0
 do_on_exit graceful_umount $LOOPDIR/proc
 
+log_action "Generating locales"
+cat > $LOOPDIR/etc/locale.gen << EOF
+de_CH.UTF-8 UTF-8
+en_US.UTF-8 UTF-8
+EOF
+execute_chroot "locale-gen"
+
 log_action "Downloading signing key for custom apt repo"
 execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key"
 log_action "Installing signing key for custom apt repo"
@@ -107,18 +119,15 @@ log_status $?
 
 log_action "Update package sources"
 execute_chroot "apt-get update"
+log_action "Install packages via APT"
+execute_chroot "apt-get -y install $APT"
 log_action "Install packages from custom repo"
 execute_chroot "apt-get -y upgrade"
 
 for service in $SERVICES
 do
 	log_action "Disabling service $service"
-	if [ "$BASEIMGSUITE" == "wheezy" ]
-	then
-		execute_chroot "update-rc.d -f $service remove"
-	else
-		execute_chroot "systemctl disable $service"
-	fi
+	execute_chroot "systemctl disable $service"
 done
 
 log_action "Disabling root password"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index 7dd7188c2..5116d095e 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -76,12 +76,7 @@ do
 
 		for service in "apache2 slapd bind9"
 		do
-			if [ "$BASEIMGSUITE" == "wheezy" ]
-			then
-				execute_chroot "update-rc.d $service defaults" 0
-			else
-				execute_chroot "systemctl enable $service" 0
-			fi
+			execute_chroot "systemctl enable $service" 0
 		done
 	fi
 	sync
diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage
index a84104a90..c6c41ada3 100755
--- a/testing/scripts/build-rootimage
+++ b/testing/scripts/build-rootimage
@@ -55,8 +55,11 @@ do_on_exit umount $LOOPDIR/root/shared
 
 echo "Installing software from source"
 RECPDIR=$DIR/recipes
+if [ -d "$RECPDIR/patches" ]
+then
+	execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
+fi
 RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
-execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
 for r in $RECIPES
 do
 	cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk
deleted file mode 100644
index b835958b7..000000000
--- a/testing/scripts/recipes/001_libtnc.mk
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/make
-
-PV  = 1.25
-PKG = libtnc-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
-	--sysconfdir=/etc
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
-	tar xfz $(TAR)
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-unpacked
-	cd $(PKG) && ./configure $(CONFIG_OPTS)
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG) && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk
deleted file mode 100644
index d4ed4f99c..000000000
--- a/testing/scripts/recipes/002_tnc-fhh.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/usr/bin/make
-
-PKG = fhhtnc
-SRC = git://github.com/trustatfhh/tnc-fhh.git
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
-	-DCOMPONENT=all \
-	-DNAL=8021x
-
-PATCHES = \
-	tnc-fhh-tncsim
-
-all: install
-
-.$(PKG)-cloned:
-	git clone $(SRC) $(PKG)
-	mkdir $(PKG)/build
-	@touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-cloned
-	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
-	cd $(PKG)/build && cmake $(CONFIG_OPTS) ../
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG)/build && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG)/build && make install
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
deleted file mode 100644
index 71cfc238c..000000000
--- a/testing/scripts/recipes/003_freeradius.mk
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/make
-
-PV  = 2.2.8
-PKG = freeradius-server-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = ftp://ftp.freeradius.org/pub/freeradius/old/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
-	--with-raddbdir=/etc/freeradius \
-	--sysconfdir=/etc \
-	--with-logdir=/var/log/freeradius \
-	--enable-developer \
-	--with-experimental-modules
-
-PATCHES = \
-	freeradius-eap-sim-identity \
-	freeradius-tnc-fhh
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
-	tar xfj $(TAR)
-	@touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
-	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
-	cd $(PKG) && ./configure $(CONFIG_OPTS)
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG) && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_hostapd.mk b/testing/scripts/recipes/004_hostapd.mk
deleted file mode 100644
index 0acd428c9..000000000
--- a/testing/scripts/recipes/004_hostapd.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/make
-
-PV  = 2.0
-PKG = hostapd-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://w1.fi/releases/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
-	hostapd-config
-
-SUBDIR = hostapd
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
-	tar xfz $(TAR)
-	@touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
-	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
-	cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk
deleted file mode 100644
index 4cc870c12..000000000
--- a/testing/scripts/recipes/004_wpa_supplicant.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/make
-
-PV  = 2.0
-PKG = wpa_supplicant-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://w1.fi/releases/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
-	wpa_supplicant-eap-tnc
-
-SUBDIR = wpa_supplicant
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
-	tar xfz $(TAR)
-	@touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
-	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
-	cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk
index a6af5df5c..b311c0a99 100644
--- a/testing/scripts/recipes/005_anet.mk
+++ b/testing/scripts/recipes/005_anet.mk
@@ -8,14 +8,15 @@ PREFIX = /usr/local/ada
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && make LIBRARY_KIND=static
 	@touch $@
 
diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk
index 5f2e207c8..ed2a62396 100644
--- a/testing/scripts/recipes/006_tkm-rpc.mk
+++ b/testing/scripts/recipes/006_tkm-rpc.mk
@@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && make
 	@touch $@
 
diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk
index 7899f6dec..57a106dea 100644
--- a/testing/scripts/recipes/007_x509-ada.mk
+++ b/testing/scripts/recipes/007_x509-ada.mk
@@ -8,14 +8,15 @@ PREFIX = /usr/local/ada
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && make tests && make
 	@touch $@
 
diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk
index ad1cbb2bc..64ada0e45 100644
--- a/testing/scripts/recipes/008_xfrm-ada.mk
+++ b/testing/scripts/recipes/008_xfrm-ada.mk
@@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && make
 	@touch $@
 
diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk
index a7c9d31cc..bdf5b1211 100644
--- a/testing/scripts/recipes/009_xfrm-proxy.mk
+++ b/testing/scripts/recipes/009_xfrm-proxy.mk
@@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && make
 	@touch $@
 
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
index 03ee5b526..2651660db 100644
--- a/testing/scripts/recipes/010_tkm.mk
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && make
 	@touch $@
 
diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk
index ef0f6d066..215e92365 100644
--- a/testing/scripts/recipes/011_botan.mk
+++ b/testing/scripts/recipes/011_botan.mk
@@ -2,8 +2,7 @@
 
 PKG = botan
 SRC = https://github.com/randombit/$(PKG).git
-# will have to be changed to the 2.8.0 tag later
-REV = 1872f899716854927ecc68022fac318735be8824
+REV = 2.8.0
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
 
@@ -15,14 +14,15 @@ CONFIG_OPTS = \
 
 all: install
 
-$(PKG):
-	git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
+	@touch $@
 
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
 	cd $(PKG) && git fetch && git checkout $(REV)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
 	cd $(PKG) && python ./configure.py $(CONFIG_OPTS) && make -j $(NUM_CPUS)
 	@touch $@
 
diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
deleted file mode 100644
index 1ab95ecc6..000000000
--- a/testing/scripts/recipes/patches/freeradius-eap-sim-identity
+++ /dev/null
@@ -1,30 +0,0 @@
---- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:03:05.081225276 +0100
-+++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:46:59.746289881 +0100
-@@ -246,14 +246,21 @@
-	newvp->vp_integer = ess->sim_id++;
-	pairreplace(outvps, newvp);
-
-+	ess->keys.identitylen = strlen(handler->identity);
-+	memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
-+
-	/* make a copy of the identity */
-	newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY);
--	if (newvp) {
--		ess->keys.identitylen = newvp->length;
--		memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
--	} else {
--		ess->keys.identitylen = strlen(handler->identity);
--		memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
-+	if (newvp && newvp->length > 2) {
-+		uint16_t len;
-+
-+		memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
-+		len = ntohs(len);
-+		if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
-+			ess->keys.identitylen = len;
-+			memcpy(ess->keys.identity, newvp->vp_octets + 2,
-+			       ess->keys.identitylen);
-+		}
-	}
-
-	/* all set, calculate keys! */
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
deleted file mode 100644
index 26a233d48..000000000
--- a/testing/scripts/recipes/patches/freeradius-tnc-fhh
+++ /dev/null
@@ -1,6687 +0,0 @@
-diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary
---- freeradius-server-2.2.0.orig/share/dictionary	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/share/dictionary	2012-12-04 19:39:42.261423097 +0100
-@@ -196,6 +196,7 @@
- $INCLUDE dictionary.starent
- $INCLUDE dictionary.symbol
- $INCLUDE dictionary.telebit
-+$INCLUDE dictionary.tncfhh
- $INCLUDE dictionary.terena
- $INCLUDE dictionary.trapeze
- $INCLUDE dictionary.tropos
-diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh
---- freeradius-server-2.2.0.orig/share/dictionary.tncfhh	1970-01-01 01:00:00.000000000 +0100
-+++ freeradius-server-2.2.0/share/dictionary.tncfhh	2012-12-04 19:39:49.645421869 +0100
-@@ -0,0 +1,20 @@
-+# -*- text -*-
-+# Dictionary for the tnc@fhh Server.
-+#
-+# Website: http://trust.inform.fh-hannover.de
-+#
-+# Version: 0.8.4
-+# Author: Bastian Hellmann
-+# Email: trust@f4-i.fh-hannover.de
-+#
-+
-+VENDOR tncfhh	10000
-+BEGIN-VENDOR tncfhh
-+
-+ATTRIBUTE	TNC-Status	1	integer
-+
-+VALUE	TNC-Status	Access	0 
-+VALUE	TNC-Status	Isolate	1
-+VALUE	TNC-Status	None	2
-+
-+END-VENDOR tncfhh
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-12-04 19:38:00.237420970 +0100
-@@ -1,61 +1,84 @@
- #! /bin/sh
- # From configure.in Revision.
- # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.61.
-+# Generated by GNU Autoconf 2.67.
-+#
- #
- # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-+# Foundation, Inc.
-+#
-+#
- # This configure script is free software; the Free Software Foundation
- # gives unlimited permission to copy, distribute and modify it.
--## --------------------- ##
--## M4sh Initialization.  ##
--## --------------------- ##
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
- 
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
-   emulate sh
-   NULLCMD=:
--  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
-   # is contrary to our usage.  Disable this feature.
-   alias -g '${1+"$@"}'='"$@"'
-   setopt NO_GLOB_SUBST
- else
--  case `(set -o) 2>/dev/null` in
--  *posix*) set -o posix ;;
-+  case `(set -o) 2>/dev/null` in #(
-+  *posix*) :
-+    set -o posix ;; #(
-+  *) :
-+     ;;
- esac
--
- fi
- 
- 
--
--
--# PATH needs CR
--# Avoid depending upon Character Ranges.
--as_cr_letters='abcdefghijklmnopqrstuvwxyz'
--as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
--as_cr_Letters=$as_cr_letters$as_cr_LETTERS
--as_cr_digits='0123456789'
--as_cr_alnum=$as_cr_Letters$as_cr_digits
--
--# The user is always right.
--if test "${PATH_SEPARATOR+set}" != set; then
--  echo "#! /bin/sh" >conf$$.sh
--  echo  "exit 0"   >>conf$$.sh
--  chmod +x conf$$.sh
--  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
--    PATH_SEPARATOR=';'
-+as_nl='
-+'
-+export as_nl
-+# Printing a long string crashes Solaris 7 /usr/bin/printf.
-+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-+# Prefer a ksh shell builtin over an external printf program on Solaris,
-+# but without wasting forks for bash or zsh.
-+if test -z "$BASH_VERSION$ZSH_VERSION" \
-+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
-+  as_echo='print -r --'
-+  as_echo_n='print -rn --'
-+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-+  as_echo='printf %s\n'
-+  as_echo_n='printf %s'
-+else
-+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-+    as_echo_n='/usr/ucb/echo -n'
-   else
--    PATH_SEPARATOR=:
-+    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-+    as_echo_n_body='eval
-+      arg=$1;
-+      case $arg in #(
-+      *"$as_nl"*)
-+	expr "X$arg" : "X\\(.*\\)$as_nl";
-+	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-+      esac;
-+      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-+    '
-+    export as_echo_n_body
-+    as_echo_n='sh -c $as_echo_n_body as_echo'
-   fi
--  rm -f conf$$.sh
-+  export as_echo_body
-+  as_echo='sh -c $as_echo_body as_echo'
- fi
- 
--# Support unset when possible.
--if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
--  as_unset=unset
--else
--  as_unset=false
-+# The user is always right.
-+if test "${PATH_SEPARATOR+set}" != set; then
-+  PATH_SEPARATOR=:
-+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-+      PATH_SEPARATOR=';'
-+  }
- fi
- 
- 
-@@ -64,20 +87,18 @@
- # there to prevent editors from complaining about space-tab.
- # (If _AS_PATH_WALK were called with IFS unset, it would disable word
- # splitting by setting IFS to empty value.)
--as_nl='
--'
- IFS=" ""	$as_nl"
- 
- # Find who we are.  Look in the path if we contain no directory separator.
--case $0 in
-+case $0 in #((
-   *[\\/]* ) as_myself=$0 ;;
-   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
- for as_dir in $PATH
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
--done
-+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-+  done
- IFS=$as_save_IFS
- 
-      ;;
-@@ -88,354 +109,321 @@
-   as_myself=$0
- fi
- if test ! -f "$as_myself"; then
--  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
--  { (exit 1); exit 1; }
-+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-+  exit 1
- fi
- 
--# Work around bugs in pre-3.0 UWIN ksh.
--for as_var in ENV MAIL MAILPATH
--do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+# Unset variables that we do not need and which cause bugs (e.g. in
-+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
-+# suppresses any "Segmentation fault" message there.  '((' could
-+# trigger a bug in pdksh 5.2.14.
-+for as_var in BASH_ENV ENV MAIL MAILPATH
-+do eval test x\${$as_var+set} = xset \
-+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
- done
- PS1='$ '
- PS2='> '
- PS4='+ '
- 
- # NLS nuisances.
--for as_var in \
--  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
--  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
--  LC_TELEPHONE LC_TIME
--do
--  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
--    eval $as_var=C; export $as_var
--  else
--    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
--  fi
--done
--
--# Required to use basename.
--if expr a : '\(a\)' >/dev/null 2>&1 &&
--   test "X`expr 00001 : '.*\(...\)'`" = X001; then
--  as_expr=expr
--else
--  as_expr=false
--fi
--
--if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
--  as_basename=basename
--else
--  as_basename=false
--fi
--
--
--# Name of the executable.
--as_me=`$as_basename -- "$0" ||
--$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
--	 X"$0" : 'X\(//\)$' \| \
--	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X/"$0" |
--    sed '/^.*\/\([^/][^/]*\)\/*$/{
--	    s//\1/
--	    q
--	  }
--	  /^X\/\(\/\/\)$/{
--	    s//\1/
--	    q
--	  }
--	  /^X\/\(\/\).*/{
--	    s//\1/
--	    q
--	  }
--	  s/.*/./; q'`
-+LC_ALL=C
-+export LC_ALL
-+LANGUAGE=C
-+export LANGUAGE
- 
- # CDPATH.
--$as_unset CDPATH
--
-+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
- 
- if test "x$CONFIG_SHELL" = x; then
--  if (eval ":") 2>/dev/null; then
--  as_have_required=yes
-+  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
-+  emulate sh
-+  NULLCMD=:
-+  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
-+  # is contrary to our usage.  Disable this feature.
-+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
-+  setopt NO_GLOB_SUBST
- else
--  as_have_required=no
-+  case \`(set -o) 2>/dev/null\` in #(
-+  *posix*) :
-+    set -o posix ;; #(
-+  *) :
-+     ;;
-+esac
- fi
--
--  if test $as_have_required = yes && 	 (eval ":
--(as_func_return () {
--  (exit \$1)
--}
--as_func_success () {
--  as_func_return 0
--}
--as_func_failure () {
--  as_func_return 1
--}
--as_func_ret_success () {
--  return 0
--}
--as_func_ret_failure () {
--  return 1
--}
-+"
-+  as_required="as_fn_return () { (exit \$1); }
-+as_fn_success () { as_fn_return 0; }
-+as_fn_failure () { as_fn_return 1; }
-+as_fn_ret_success () { return 0; }
-+as_fn_ret_failure () { return 1; }
- 
- exitcode=0
--if as_func_success; then
--  :
--else
--  exitcode=1
--  echo as_func_success failed.
--fi
--
--if as_func_failure; then
--  exitcode=1
--  echo as_func_failure succeeded.
--fi
--
--if as_func_ret_success; then
--  :
--else
--  exitcode=1
--  echo as_func_ret_success failed.
--fi
--
--if as_func_ret_failure; then
--  exitcode=1
--  echo as_func_ret_failure succeeded.
--fi
--
--if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
--  :
-+as_fn_success || { exitcode=1; echo as_fn_success failed.; }
-+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
-+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
-+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
-+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
-+
-+else
-+  exitcode=1; echo positional parameters were not saved.
-+fi
-+test x\$exitcode = x0 || exit 1"
-+  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
-+  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
-+  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
-+  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
-+test \$(( 1 + 1 )) = 2 || exit 1"
-+  if (eval "$as_required") 2>/dev/null; then :
-+  as_have_required=yes
- else
--  exitcode=1
--  echo positional parameters were not saved.
-+  as_have_required=no
- fi
-+  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
- 
--test \$exitcode = 0) || { (exit 1); exit 1; }
--
--(
--  as_lineno_1=\$LINENO
--  as_lineno_2=\$LINENO
--  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
--  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
--") 2> /dev/null; then
--  :
- else
--  as_candidate_shells=
--    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+as_found=false
- for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  case $as_dir in
-+  as_found=:
-+  case $as_dir in #(
- 	 /*)
- 	   for as_base in sh bash ksh sh5; do
--	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
-+	     # Try only shells that exist, to save several forks.
-+	     as_shell=$as_dir/$as_base
-+	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-+		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
-+  CONFIG_SHELL=$as_shell as_have_required=yes
-+		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
-+  break 2
-+fi
-+fi
- 	   done;;
-        esac
-+  as_found=false
- done
-+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
-+	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
-+  CONFIG_SHELL=$SHELL as_have_required=yes
-+fi; }
- IFS=$as_save_IFS
- 
- 
--      for as_shell in $as_candidate_shells $SHELL; do
--	 # Try only shells that exist, to save several forks.
--	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
--		{ ("$as_shell") 2> /dev/null <<\_ASEOF
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
--  emulate sh
--  NULLCMD=:
--  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
--  # is contrary to our usage.  Disable this feature.
--  alias -g '${1+"$@"}'='"$@"'
--  setopt NO_GLOB_SUBST
--else
--  case `(set -o) 2>/dev/null` in
--  *posix*) set -o posix ;;
--esac
--
-+      if test "x$CONFIG_SHELL" != x; then :
-+  # We cannot yet assume a decent shell, so we have to provide a
-+	# neutralization value for shells without unset; and this also
-+	# works around shells that cannot unset nonexistent variables.
-+	BASH_ENV=/dev/null
-+	ENV=/dev/null
-+	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-+	export CONFIG_SHELL
-+	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
-+fi
-+
-+    if test x$as_have_required = xno; then :
-+  $as_echo "$0: This script requires a shell more modern than all"
-+  $as_echo "$0: the shells that I found on your system."
-+  if test x${ZSH_VERSION+set} = xset ; then
-+    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
-+    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
-+  else
-+    $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
-+$0: including any error possibly output before this
-+$0: message. Then install a modern shell, or manually run
-+$0: the script under such a shell if you do have one."
-+  fi
-+  exit 1
- fi
--
--
--:
--_ASEOF
--}; then
--  CONFIG_SHELL=$as_shell
--	       as_have_required=yes
--	       if { "$as_shell" 2> /dev/null <<\_ASEOF
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
--  emulate sh
--  NULLCMD=:
--  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
--  # is contrary to our usage.  Disable this feature.
--  alias -g '${1+"$@"}'='"$@"'
--  setopt NO_GLOB_SUBST
--else
--  case `(set -o) 2>/dev/null` in
--  *posix*) set -o posix ;;
--esac
--
- fi
-+fi
-+SHELL=${CONFIG_SHELL-/bin/sh}
-+export SHELL
-+# Unset more variables known to interfere with behavior of common tools.
-+CLICOLOR_FORCE= GREP_OPTIONS=
-+unset CLICOLOR_FORCE GREP_OPTIONS
- 
--
--:
--(as_func_return () {
--  (exit $1)
--}
--as_func_success () {
--  as_func_return 0
--}
--as_func_failure () {
--  as_func_return 1
--}
--as_func_ret_success () {
--  return 0
--}
--as_func_ret_failure () {
--  return 1
-+## --------------------- ##
-+## M4sh Shell Functions. ##
-+## --------------------- ##
-+# as_fn_unset VAR
-+# ---------------
-+# Portably unset VAR.
-+as_fn_unset ()
-+{
-+  { eval $1=; unset $1;}
- }
-+as_unset=as_fn_unset
- 
--exitcode=0
--if as_func_success; then
--  :
--else
--  exitcode=1
--  echo as_func_success failed.
--fi
-+# as_fn_set_status STATUS
-+# -----------------------
-+# Set $? to STATUS, without forking.
-+as_fn_set_status ()
-+{
-+  return $1
-+} # as_fn_set_status
- 
--if as_func_failure; then
--  exitcode=1
--  echo as_func_failure succeeded.
--fi
-+# as_fn_exit STATUS
-+# -----------------
-+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
-+as_fn_exit ()
-+{
-+  set +e
-+  as_fn_set_status $1
-+  exit $1
-+} # as_fn_exit
-+
-+# as_fn_mkdir_p
-+# -------------
-+# Create "$as_dir" as a directory, including parents if necessary.
-+as_fn_mkdir_p ()
-+{
- 
--if as_func_ret_success; then
--  :
--else
--  exitcode=1
--  echo as_func_ret_success failed.
--fi
-+  case $as_dir in #(
-+  -*) as_dir=./$as_dir;;
-+  esac
-+  test -d "$as_dir" || eval $as_mkdir_p || {
-+    as_dirs=
-+    while :; do
-+      case $as_dir in #(
-+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-+      *) as_qdir=$as_dir;;
-+      esac
-+      as_dirs="'$as_qdir' $as_dirs"
-+      as_dir=`$as_dirname -- "$as_dir" ||
-+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+	 X"$as_dir" : 'X\(//\)[^/]' \| \
-+	 X"$as_dir" : 'X\(//\)$' \| \
-+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_dir" |
-+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\(\/\/\)[^/].*/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\(\/\/\)$/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\(\/\).*/{
-+	    s//\1/
-+	    q
-+	  }
-+	  s/.*/./; q'`
-+      test -d "$as_dir" && break
-+    done
-+    test -z "$as_dirs" || eval "mkdir $as_dirs"
-+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
- 
--if as_func_ret_failure; then
--  exitcode=1
--  echo as_func_ret_failure succeeded.
--fi
- 
--if ( set x; as_func_ret_success y && test x = "$1" ); then
--  :
-+} # as_fn_mkdir_p
-+# as_fn_append VAR VALUE
-+# ----------------------
-+# Append the text in VALUE to the end of the definition contained in VAR. Take
-+# advantage of any shell optimizations that allow amortized linear growth over
-+# repeated appends, instead of the typical quadratic growth present in naive
-+# implementations.
-+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
-+  eval 'as_fn_append ()
-+  {
-+    eval $1+=\$2
-+  }'
- else
--  exitcode=1
--  echo positional parameters were not saved.
--fi
--
--test $exitcode = 0) || { (exit 1); exit 1; }
--
--(
--  as_lineno_1=$LINENO
--  as_lineno_2=$LINENO
--  test "x$as_lineno_1" != "x$as_lineno_2" &&
--  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
--
--_ASEOF
--}; then
--  break
--fi
--
--fi
--
--      done
--
--      if test "x$CONFIG_SHELL" != x; then
--  for as_var in BASH_ENV ENV
--        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
--        done
--        export CONFIG_SHELL
--        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
--fi
--
--
--    if test $as_have_required = no; then
--  echo This script requires a shell more modern than all the
--      echo shells that I found on your system.  Please install a
--      echo modern shell, or manually run the script under such a
--      echo shell if you do have one.
--      { (exit 1); exit 1; }
--fi
--
--
--fi
--
--fi
--
-+  as_fn_append ()
-+  {
-+    eval $1=\$$1\$2
-+  }
-+fi # as_fn_append
-+
-+# as_fn_arith ARG...
-+# ------------------
-+# Perform arithmetic evaluation on the ARGs, and store the result in the
-+# global $as_val. Take advantage of shells that can avoid forks. The arguments
-+# must be portable across $(()) and expr.
-+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
-+  eval 'as_fn_arith ()
-+  {
-+    as_val=$(( $* ))
-+  }'
-+else
-+  as_fn_arith ()
-+  {
-+    as_val=`expr "$@" || test $? -eq 1`
-+  }
-+fi # as_fn_arith
- 
- 
--(eval "as_func_return () {
--  (exit \$1)
--}
--as_func_success () {
--  as_func_return 0
--}
--as_func_failure () {
--  as_func_return 1
--}
--as_func_ret_success () {
--  return 0
--}
--as_func_ret_failure () {
--  return 1
--}
-+# as_fn_error STATUS ERROR [LINENO LOG_FD]
-+# ----------------------------------------
-+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
-+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-+# script with STATUS, using 1 if that was 0.
-+as_fn_error ()
-+{
-+  as_status=$1; test $as_status -eq 0 && as_status=1
-+  if test "$4"; then
-+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
-+  fi
-+  $as_echo "$as_me: error: $2" >&2
-+  as_fn_exit $as_status
-+} # as_fn_error
- 
--exitcode=0
--if as_func_success; then
--  :
-+if expr a : '\(a\)' >/dev/null 2>&1 &&
-+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-+  as_expr=expr
- else
--  exitcode=1
--  echo as_func_success failed.
--fi
--
--if as_func_failure; then
--  exitcode=1
--  echo as_func_failure succeeded.
-+  as_expr=false
- fi
- 
--if as_func_ret_success; then
--  :
-+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-+  as_basename=basename
- else
--  exitcode=1
--  echo as_func_ret_success failed.
--fi
--
--if as_func_ret_failure; then
--  exitcode=1
--  echo as_func_ret_failure succeeded.
-+  as_basename=false
- fi
- 
--if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
--  :
-+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-+  as_dirname=dirname
- else
--  exitcode=1
--  echo positional parameters were not saved.
-+  as_dirname=false
- fi
- 
--test \$exitcode = 0") || {
--  echo No shell found that supports shell functions.
--  echo Please tell autoconf@gnu.org about your system,
--  echo including any error possibly output before this
--  echo message
--}
-+as_me=`$as_basename -- "$0" ||
-+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-+	 X"$0" : 'X\(//\)$' \| \
-+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X/"$0" |
-+    sed '/^.*\/\([^/][^/]*\)\/*$/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\/\(\/\/\)$/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\/\(\/\).*/{
-+	    s//\1/
-+	    q
-+	  }
-+	  s/.*/./; q'`
- 
-+# Avoid depending upon Character Ranges.
-+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-+as_cr_digits='0123456789'
-+as_cr_alnum=$as_cr_Letters$as_cr_digits
- 
- 
--  as_lineno_1=$LINENO
--  as_lineno_2=$LINENO
--  test "x$as_lineno_1" != "x$as_lineno_2" &&
--  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
--
--  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
--  # uniformly replaced by the line number.  The first 'sed' inserts a
--  # line-number line after each line using $LINENO; the second 'sed'
--  # does the real work.  The second script uses 'N' to pair each
--  # line-number line with the line containing $LINENO, and appends
--  # trailing '-' during substitution so that $LINENO is not a special
--  # case at line end.
--  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
--  # scripts with optimization help from Paolo Bonzini.  Blame Lee
--  # E. McMahon (1931-1989) for sed's syntax.  :-)
-+  as_lineno_1=$LINENO as_lineno_1a=$LINENO
-+  as_lineno_2=$LINENO as_lineno_2a=$LINENO
-+  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
-+  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
-+  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
-   sed -n '
-     p
-     /[$]LINENO/=
-@@ -452,8 +440,7 @@
-       s/-\n.*//
-     ' >$as_me.lineno &&
-   chmod +x "$as_me.lineno" ||
--    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
--   { (exit 1); exit 1; }; }
-+    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
- 
-   # Don't try to exec as it changes $[0], causing all sort of problems
-   # (the dirname of $[0] is not the place where we might find the
-@@ -463,49 +450,40 @@
-   exit
- }
- 
--
--if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
--  as_dirname=dirname
--else
--  as_dirname=false
--fi
--
- ECHO_C= ECHO_N= ECHO_T=
--case `echo -n x` in
-+case `echo -n x` in #(((((
- -n*)
--  case `echo 'x\c'` in
-+  case `echo 'xy\c'` in
-   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
--  *)   ECHO_C='\c';;
-+  xy)  ECHO_C='\c';;
-+  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
-+       ECHO_T='	';;
-   esac;;
- *)
-   ECHO_N='-n';;
- esac
- 
--if expr a : '\(a\)' >/dev/null 2>&1 &&
--   test "X`expr 00001 : '.*\(...\)'`" = X001; then
--  as_expr=expr
--else
--  as_expr=false
--fi
--
- rm -f conf$$ conf$$.exe conf$$.file
- if test -d conf$$.dir; then
-   rm -f conf$$.dir/conf$$.file
- else
-   rm -f conf$$.dir
--  mkdir conf$$.dir
-+  mkdir conf$$.dir 2>/dev/null
- fi
--echo >conf$$.file
--if ln -s conf$$.file conf$$ 2>/dev/null; then
--  as_ln_s='ln -s'
--  # ... but there are two gotchas:
--  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
--  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
--  # In both cases, we have to default to `cp -p'.
--  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+if (echo >conf$$.file) 2>/dev/null; then
-+  if ln -s conf$$.file conf$$ 2>/dev/null; then
-+    as_ln_s='ln -s'
-+    # ... but there are two gotchas:
-+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-+    # In both cases, we have to default to `cp -p'.
-+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+      as_ln_s='cp -p'
-+  elif ln conf$$.file conf$$ 2>/dev/null; then
-+    as_ln_s=ln
-+  else
-     as_ln_s='cp -p'
--elif ln conf$$.file conf$$ 2>/dev/null; then
--  as_ln_s=ln
-+  fi
- else
-   as_ln_s='cp -p'
- fi
-@@ -513,7 +491,7 @@
- rmdir conf$$.dir 2>/dev/null
- 
- if mkdir -p . 2>/dev/null; then
--  as_mkdir_p=:
-+  as_mkdir_p='mkdir -p "$as_dir"'
- else
-   test -d ./-p && rmdir ./-p
-   as_mkdir_p=false
-@@ -530,12 +508,12 @@
-   as_test_x='
-     eval sh -c '\''
-       if test -d "$1"; then
--        test -d "$1/.";
-+	test -d "$1/.";
-       else
--	case $1 in
--        -*)set "./$1";;
-+	case $1 in #(
-+	-*)set "./$1";;
- 	esac;
--	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- 	???[sx]*):;;*)false;;esac;fi
-     '\'' sh
-   '
-@@ -549,11 +527,11 @@
- as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
- 
- 
--
--exec 7<&0 </dev/null 6>&1
-+test -n "$DJDIR" || exec 7<&0 </dev/null
-+exec 6>&1
- 
- # Name of the host.
--# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
-+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
- # so uname gets run too.
- ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
- 
-@@ -568,7 +546,6 @@
- subdirs=
- MFLAGS=
- MAKEFLAGS=
--SHELL=${CONFIG_SHELL-/bin/sh}
- 
- # Identity of this package.
- PACKAGE_NAME=
-@@ -576,58 +553,102 @@
- PACKAGE_VERSION=
- PACKAGE_STRING=
- PACKAGE_BUGREPORT=
-+PACKAGE_URL=
- 
- ac_unique_file="rlm_eap_tnc.c"
--ac_subst_vars='SHELL
--PATH_SEPARATOR
--PACKAGE_NAME
--PACKAGE_TARNAME
--PACKAGE_VERSION
--PACKAGE_STRING
--PACKAGE_BUGREPORT
--exec_prefix
--prefix
--program_transform_name
--bindir
--sbindir
--libexecdir
--datarootdir
--datadir
--sysconfdir
--sharedstatedir
--localstatedir
--includedir
--oldincludedir
--docdir
--infodir
--htmldir
--dvidir
--pdfdir
--psdir
--libdir
--localedir
--mandir
--DEFS
--ECHO_C
--ECHO_N
--ECHO_T
--LIBS
--build_alias
--host_alias
--target_alias
--CC
--CFLAGS
--LDFLAGS
--CPPFLAGS
--ac_ct_CC
--EXEEXT
--OBJEXT
--eap_tnc_cflags
--eap_tnc_ldflags
--targetname
-+# Factoring default headers for most tests.
-+ac_includes_default="\
-+#include <stdio.h>
-+#ifdef HAVE_SYS_TYPES_H
-+# include <sys/types.h>
-+#endif
-+#ifdef HAVE_SYS_STAT_H
-+# include <sys/stat.h>
-+#endif
-+#ifdef STDC_HEADERS
-+# include <stdlib.h>
-+# include <stddef.h>
-+#else
-+# ifdef HAVE_STDLIB_H
-+#  include <stdlib.h>
-+# endif
-+#endif
-+#ifdef HAVE_STRING_H
-+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
-+#  include <memory.h>
-+# endif
-+# include <string.h>
-+#endif
-+#ifdef HAVE_STRINGS_H
-+# include <strings.h>
-+#endif
-+#ifdef HAVE_INTTYPES_H
-+# include <inttypes.h>
-+#endif
-+#ifdef HAVE_STDINT_H
-+# include <stdint.h>
-+#endif
-+#ifdef HAVE_UNISTD_H
-+# include <unistd.h>
-+#endif"
-+
-+ac_subst_vars='LTLIBOBJS
- LIBOBJS
--LTLIBOBJS'
-+targetname
-+eap_tnc_ldflags
-+eap_tnc_cflags
-+EGREP
-+GREP
-+CPP
-+OBJEXT
-+EXEEXT
-+ac_ct_CC
-+CPPFLAGS
-+LDFLAGS
-+CFLAGS
-+CC
-+target_alias
-+host_alias
-+build_alias
-+LIBS
-+ECHO_T
-+ECHO_N
-+ECHO_C
-+DEFS
-+mandir
-+localedir
-+libdir
-+psdir
-+pdfdir
-+dvidir
-+htmldir
-+infodir
-+docdir
-+oldincludedir
-+includedir
-+localstatedir
-+sharedstatedir
-+sysconfdir
-+datadir
-+datarootdir
-+libexecdir
-+sbindir
-+bindir
-+program_transform_name
-+prefix
-+exec_prefix
-+PACKAGE_URL
-+PACKAGE_BUGREPORT
-+PACKAGE_STRING
-+PACKAGE_VERSION
-+PACKAGE_TARNAME
-+PACKAGE_NAME
-+PATH_SEPARATOR
-+SHELL'
- ac_subst_files=''
-+ac_user_opts='
-+enable_option_checking
-+'
-       ac_precious_vars='build_alias
- host_alias
- target_alias
-@@ -635,12 +656,15 @@
- CFLAGS
- LDFLAGS
- LIBS
--CPPFLAGS'
-+CPPFLAGS
-+CPP'
- 
- 
- # Initialize some variables set by options.
- ac_init_help=
- ac_init_version=false
-+ac_unrecognized_opts=
-+ac_unrecognized_sep=
- # The variables have the same names as the options, with
- # dashes changed to underlines.
- cache_file=/dev/null
-@@ -696,8 +720,9 @@
-   fi
- 
-   case $ac_option in
--  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
--  *)	ac_optarg=yes ;;
-+  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-+  *=)   ac_optarg= ;;
-+  *)    ac_optarg=yes ;;
-   esac
- 
-   # Accept the important Cygnus configure options, so we can diagnose typos.
-@@ -739,13 +764,20 @@
-     datarootdir=$ac_optarg ;;
- 
-   -disable-* | --disable-*)
--    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-+    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-     # Reject names that are not valid shell variable names.
--    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
--      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
--   { (exit 1); exit 1; }; }
--    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
--    eval enable_$ac_feature=no ;;
-+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+      as_fn_error $? "invalid feature name: $ac_useropt"
-+    ac_useropt_orig=$ac_useropt
-+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+    case $ac_user_opts in
-+      *"
-+"enable_$ac_useropt"
-+"*) ;;
-+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
-+	 ac_unrecognized_sep=', ';;
-+    esac
-+    eval enable_$ac_useropt=no ;;
- 
-   -docdir | --docdir | --docdi | --doc | --do)
-     ac_prev=docdir ;;
-@@ -758,13 +790,20 @@
-     dvidir=$ac_optarg ;;
- 
-   -enable-* | --enable-*)
--    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-+    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-     # Reject names that are not valid shell variable names.
--    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
--      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
--   { (exit 1); exit 1; }; }
--    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
--    eval enable_$ac_feature=\$ac_optarg ;;
-+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+      as_fn_error $? "invalid feature name: $ac_useropt"
-+    ac_useropt_orig=$ac_useropt
-+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+    case $ac_user_opts in
-+      *"
-+"enable_$ac_useropt"
-+"*) ;;
-+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
-+	 ac_unrecognized_sep=', ';;
-+    esac
-+    eval enable_$ac_useropt=\$ac_optarg ;;
- 
-   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
-   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-@@ -955,22 +994,36 @@
-     ac_init_version=: ;;
- 
-   -with-* | --with-*)
--    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-+    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-     # Reject names that are not valid shell variable names.
--    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
--      { echo "$as_me: error: invalid package name: $ac_package" >&2
--   { (exit 1); exit 1; }; }
--    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
--    eval with_$ac_package=\$ac_optarg ;;
-+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+      as_fn_error $? "invalid package name: $ac_useropt"
-+    ac_useropt_orig=$ac_useropt
-+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+    case $ac_user_opts in
-+      *"
-+"with_$ac_useropt"
-+"*) ;;
-+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
-+	 ac_unrecognized_sep=', ';;
-+    esac
-+    eval with_$ac_useropt=\$ac_optarg ;;
- 
-   -without-* | --without-*)
--    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-+    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-     # Reject names that are not valid shell variable names.
--    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
--      { echo "$as_me: error: invalid package name: $ac_package" >&2
--   { (exit 1); exit 1; }; }
--    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
--    eval with_$ac_package=no ;;
-+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+      as_fn_error $? "invalid package name: $ac_useropt"
-+    ac_useropt_orig=$ac_useropt
-+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+    case $ac_user_opts in
-+      *"
-+"with_$ac_useropt"
-+"*) ;;
-+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
-+	 ac_unrecognized_sep=', ';;
-+    esac
-+    eval with_$ac_useropt=no ;;
- 
-   --x)
-     # Obsolete; use --with-x.
-@@ -990,25 +1043,25 @@
-   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
-     x_libraries=$ac_optarg ;;
- 
--  -*) { echo "$as_me: error: unrecognized option: $ac_option
--Try \`$0 --help' for more information." >&2
--   { (exit 1); exit 1; }; }
-+  -*) as_fn_error $? "unrecognized option: \`$ac_option'
-+Try \`$0 --help' for more information"
-     ;;
- 
-   *=*)
-     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
-     # Reject names that are not valid shell variable names.
--    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
--      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
--   { (exit 1); exit 1; }; }
-+    case $ac_envvar in #(
-+      '' | [0-9]* | *[!_$as_cr_alnum]* )
-+      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
-+    esac
-     eval $ac_envvar=\$ac_optarg
-     export $ac_envvar ;;
- 
-   *)
-     # FIXME: should be removed in autoconf 3.0.
--    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-+    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
--      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-+      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-     : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
-     ;;
- 
-@@ -1017,23 +1070,36 @@
- 
- if test -n "$ac_prev"; then
-   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
--  { echo "$as_me: error: missing argument to $ac_option" >&2
--   { (exit 1); exit 1; }; }
-+  as_fn_error $? "missing argument to $ac_option"
-+fi
-+
-+if test -n "$ac_unrecognized_opts"; then
-+  case $enable_option_checking in
-+    no) ;;
-+    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
-+    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
-+  esac
- fi
- 
--# Be sure to have absolute directory names.
-+# Check all directory arguments for consistency.
- for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
- 		datadir sysconfdir sharedstatedir localstatedir includedir \
- 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- 		libdir localedir mandir
- do
-   eval ac_val=\$$ac_var
-+  # Remove trailing slashes.
-+  case $ac_val in
-+    */ )
-+      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
-+      eval $ac_var=\$ac_val;;
-+  esac
-+  # Be sure to have absolute directory names.
-   case $ac_val in
-     [\\/$]* | ?:[\\/]* )  continue;;
-     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
-   esac
--  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
--   { (exit 1); exit 1; }; }
-+  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
- done
- 
- # There might be people who depend on the old broken behavior: `$host'
-@@ -1047,8 +1113,8 @@
- if test "x$host_alias" != x; then
-   if test "x$build_alias" = x; then
-     cross_compiling=maybe
--    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
--    If a cross compiler is detected then cross compile mode will be used." >&2
-+    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-+    If a cross compiler is detected then cross compile mode will be used" >&2
-   elif test "x$build_alias" != "x$host_alias"; then
-     cross_compiling=yes
-   fi
-@@ -1063,23 +1129,21 @@
- ac_pwd=`pwd` && test -n "$ac_pwd" &&
- ac_ls_di=`ls -di .` &&
- ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
--  { echo "$as_me: error: Working directory cannot be determined" >&2
--   { (exit 1); exit 1; }; }
-+  as_fn_error $? "working directory cannot be determined"
- test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
--  { echo "$as_me: error: pwd does not report name of working directory" >&2
--   { (exit 1); exit 1; }; }
-+  as_fn_error $? "pwd does not report name of working directory"
- 
- 
- # Find the source files, if location was not specified.
- if test -z "$srcdir"; then
-   ac_srcdir_defaulted=yes
-   # Try the directory containing this script, then the parent directory.
--  ac_confdir=`$as_dirname -- "$0" ||
--$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
--	 X"$0" : 'X\(//\)[^/]' \| \
--	 X"$0" : 'X\(//\)$' \| \
--	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$0" |
-+  ac_confdir=`$as_dirname -- "$as_myself" ||
-+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+	 X"$as_myself" : 'X\(//\)[^/]' \| \
-+	 X"$as_myself" : 'X\(//\)$' \| \
-+	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_myself" |
-     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- 	    s//\1/
- 	    q
-@@ -1106,13 +1170,11 @@
- fi
- if test ! -r "$srcdir/$ac_unique_file"; then
-   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
--  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
--   { (exit 1); exit 1; }; }
-+  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
- fi
- ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
- ac_abs_confdir=`(
--	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
--   { (exit 1); exit 1; }; }
-+	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
- 	pwd)`
- # When building in place, set srcdir=.
- if test "$ac_abs_confdir" = "$ac_pwd"; then
-@@ -1152,7 +1214,7 @@
-       --help=short        display options specific to this package
-       --help=recursive    display the short help of all the included packages
-   -V, --version           display version information and exit
--  -q, --quiet, --silent   do not print \`checking...' messages
-+  -q, --quiet, --silent   do not print \`checking ...' messages
-       --cache-file=FILE   cache test results in FILE [disabled]
-   -C, --config-cache      alias for \`--cache-file=config.cache'
-   -n, --no-create         do not create output files
-@@ -1160,9 +1222,9 @@
- 
- Installation directories:
-   --prefix=PREFIX         install architecture-independent files in PREFIX
--			  [$ac_default_prefix]
-+                          [$ac_default_prefix]
-   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
--			  [PREFIX]
-+                          [PREFIX]
- 
- By default, \`make install' will install all the files in
- \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
-@@ -1172,25 +1234,25 @@
- For better control, use the options below.
- 
- Fine tuning of the installation directories:
--  --bindir=DIR           user executables [EPREFIX/bin]
--  --sbindir=DIR          system admin executables [EPREFIX/sbin]
--  --libexecdir=DIR       program executables [EPREFIX/libexec]
--  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
--  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
--  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
--  --libdir=DIR           object code libraries [EPREFIX/lib]
--  --includedir=DIR       C header files [PREFIX/include]
--  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
--  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
--  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
--  --infodir=DIR          info documentation [DATAROOTDIR/info]
--  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
--  --mandir=DIR           man documentation [DATAROOTDIR/man]
--  --docdir=DIR           documentation root [DATAROOTDIR/doc/PACKAGE]
--  --htmldir=DIR          html documentation [DOCDIR]
--  --dvidir=DIR           dvi documentation [DOCDIR]
--  --pdfdir=DIR           pdf documentation [DOCDIR]
--  --psdir=DIR            ps documentation [DOCDIR]
-+  --bindir=DIR            user executables [EPREFIX/bin]
-+  --sbindir=DIR           system admin executables [EPREFIX/sbin]
-+  --libexecdir=DIR        program executables [EPREFIX/libexec]
-+  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
-+  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
-+  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-+  --libdir=DIR            object code libraries [EPREFIX/lib]
-+  --includedir=DIR        C header files [PREFIX/include]
-+  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
-+  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
-+  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
-+  --infodir=DIR           info documentation [DATAROOTDIR/info]
-+  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
-+  --mandir=DIR            man documentation [DATAROOTDIR/man]
-+  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
-+  --htmldir=DIR           html documentation [DOCDIR]
-+  --dvidir=DIR            dvi documentation [DOCDIR]
-+  --pdfdir=DIR            pdf documentation [DOCDIR]
-+  --psdir=DIR             ps documentation [DOCDIR]
- _ACEOF
- 
-   cat <<\_ACEOF
-@@ -1207,12 +1269,14 @@
-   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
-               nonstandard directory <lib dir>
-   LIBS        libraries to pass to the linker, e.g. -l<library>
--  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
-+  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
-               you have headers in a nonstandard directory <include dir>
-+  CPP         C preprocessor
- 
- Use these variables to override the choices made by `configure' or to help
- it to find libraries and programs with nonstandard names/locations.
- 
-+Report bugs to the package provider.
- _ACEOF
- ac_status=$?
- fi
-@@ -1220,15 +1284,17 @@
- if test "$ac_init_help" = "recursive"; then
-   # If there are subdirs, report their specific --help.
-   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
--    test -d "$ac_dir" || continue
-+    test -d "$ac_dir" ||
-+      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
-+      continue
-     ac_builddir=.
- 
- case "$ac_dir" in
- .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *)
--  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-+  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
-   # A ".." for each directory in $ac_dir_suffix.
--  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-+  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
-   case $ac_top_builddir_sub in
-   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
-   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-@@ -1264,7 +1330,7 @@
-       echo &&
-       $SHELL "$ac_srcdir/configure" --help=recursive
-     else
--      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-+      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-     fi || ac_status=$?
-     cd "$ac_pwd" || { ac_status=$?; break; }
-   done
-@@ -1274,21 +1340,305 @@
- if $ac_init_version; then
-   cat <<\_ACEOF
- configure
--generated by GNU Autoconf 2.61
-+generated by GNU Autoconf 2.67
- 
--Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-+Copyright (C) 2010 Free Software Foundation, Inc.
- This configure script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it.
- _ACEOF
-   exit
- fi
-+
-+## ------------------------ ##
-+## Autoconf initialization. ##
-+## ------------------------ ##
-+
-+# ac_fn_c_try_compile LINENO
-+# --------------------------
-+# Try to compile conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_compile ()
-+{
-+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+  rm -f conftest.$ac_objext
-+  if { { ac_try="$ac_compile"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_compile") 2>conftest.err
-+  ac_status=$?
-+  if test -s conftest.err; then
-+    grep -v '^ *+' conftest.err >conftest.er1
-+    cat conftest.er1 >&5
-+    mv -f conftest.er1 conftest.err
-+  fi
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; } && {
-+	 test -z "$ac_c_werror_flag" ||
-+	 test ! -s conftest.err
-+       } && test -s conftest.$ac_objext; then :
-+  ac_retval=0
-+else
-+  $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+	ac_retval=1
-+fi
-+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+  as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_compile
-+
-+# ac_fn_c_try_link LINENO
-+# -----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_link ()
-+{
-+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+  rm -f conftest.$ac_objext conftest$ac_exeext
-+  if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_link") 2>conftest.err
-+  ac_status=$?
-+  if test -s conftest.err; then
-+    grep -v '^ *+' conftest.err >conftest.er1
-+    cat conftest.er1 >&5
-+    mv -f conftest.er1 conftest.err
-+  fi
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; } && {
-+	 test -z "$ac_c_werror_flag" ||
-+	 test ! -s conftest.err
-+       } && test -s conftest$ac_exeext && {
-+	 test "$cross_compiling" = yes ||
-+	 $as_test_x conftest$ac_exeext
-+       }; then :
-+  ac_retval=0
-+else
-+  $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+	ac_retval=1
-+fi
-+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-+  # interfere with the next link command; also delete a directory that is
-+  # left behind by Apple's compiler.  We do this before executing the actions.
-+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+  as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_link
-+
-+# ac_fn_c_try_cpp LINENO
-+# ----------------------
-+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_cpp ()
-+{
-+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+  if { { ac_try="$ac_cpp conftest.$ac_ext"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
-+  ac_status=$?
-+  if test -s conftest.err; then
-+    grep -v '^ *+' conftest.err >conftest.er1
-+    cat conftest.er1 >&5
-+    mv -f conftest.er1 conftest.err
-+  fi
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; } > conftest.i && {
-+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-+	 test ! -s conftest.err
-+       }; then :
-+  ac_retval=0
-+else
-+  $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+    ac_retval=1
-+fi
-+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+  as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_cpp
-+
-+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
-+# -------------------------------------------------------
-+# Tests whether HEADER exists, giving a warning if it cannot be compiled using
-+# the include files in INCLUDES and setting the cache variable VAR
-+# accordingly.
-+ac_fn_c_check_header_mongrel ()
-+{
-+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+  if eval "test \"\${$3+set}\"" = set; then :
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+  $as_echo_n "(cached) " >&6
-+fi
-+eval ac_res=\$$3
-+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+else
-+  # Is the header compilable?
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
-+$as_echo_n "checking $2 usability... " >&6; }
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+$4
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+  ac_header_compiler=yes
-+else
-+  ac_header_compiler=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
-+$as_echo "$ac_header_compiler" >&6; }
-+
-+# Is the header present?
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
-+$as_echo_n "checking $2 presence... " >&6; }
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+  ac_header_preproc=yes
-+else
-+  ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
-+$as_echo "$ac_header_preproc" >&6; }
-+
-+# So?  What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
-+  yes:no: )
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
-+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
-+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-+    ;;
-+  no:yes:* )
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
-+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     check for missing prerequisite headers?" >&5
-+$as_echo "$as_me: WARNING: $2:     check for missing prerequisite headers?" >&2;}
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
-+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&5
-+$as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
-+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-+    ;;
-+esac
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  eval "$3=\$ac_header_compiler"
-+fi
-+eval ac_res=\$$3
-+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+fi
-+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+
-+} # ac_fn_c_check_header_mongrel
-+
-+# ac_fn_c_try_run LINENO
-+# ----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
-+# that executables *can* be run.
-+ac_fn_c_try_run ()
-+{
-+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+  if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_link") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
-+  { { case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_try") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; }; then :
-+  ac_retval=0
-+else
-+  $as_echo "$as_me: program exited with status $ac_status" >&5
-+       $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+       ac_retval=$ac_status
-+fi
-+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+  as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_run
-+
-+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
-+# -------------------------------------------------------
-+# Tests whether HEADER exists and can be compiled using the include files in
-+# INCLUDES, setting the cache variable VAR accordingly.
-+ac_fn_c_check_header_compile ()
-+{
-+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+$4
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+  eval "$3=yes"
-+else
-+  eval "$3=no"
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+fi
-+eval ac_res=\$$3
-+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+
-+} # ac_fn_c_check_header_compile
- cat >config.log <<_ACEOF
- This file contains any messages produced by compilers while
- running configure, to aid debugging if configure makes a mistake.
- 
- It was created by $as_me, which was
--generated by GNU Autoconf 2.61.  Invocation command line was
-+generated by GNU Autoconf 2.67.  Invocation command line was
- 
-   $ $0 $@
- 
-@@ -1324,8 +1674,8 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  echo "PATH: $as_dir"
--done
-+    $as_echo "PATH: $as_dir"
-+  done
- IFS=$as_save_IFS
- 
- } >&5
-@@ -1359,12 +1709,12 @@
-     | -silent | --silent | --silen | --sile | --sil)
-       continue ;;
-     *\'*)
--      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-+      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-     esac
-     case $ac_pass in
--    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
-+    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
-     2)
--      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-+      as_fn_append ac_configure_args1 " '$ac_arg'"
-       if test $ac_must_keep_next = true; then
- 	ac_must_keep_next=false # Got value, back to normal.
-       else
-@@ -1380,13 +1730,13 @@
- 	  -* ) ac_must_keep_next=true ;;
- 	esac
-       fi
--      ac_configure_args="$ac_configure_args '$ac_arg'"
-+      as_fn_append ac_configure_args " '$ac_arg'"
-       ;;
-     esac
-   done
- done
--$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
--$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
-+{ ac_configure_args0=; unset ac_configure_args0;}
-+{ ac_configure_args1=; unset ac_configure_args1;}
- 
- # When interrupted or exit'd, cleanup temporary files, and complete
- # config.log.  We remove comments because anyway the quotes in there
-@@ -1398,11 +1748,9 @@
-   {
-     echo
- 
--    cat <<\_ASBOX
--## ---------------- ##
-+    $as_echo "## ---------------- ##
- ## Cache variables. ##
--## ---------------- ##
--_ASBOX
-+## ---------------- ##"
-     echo
-     # The following way of writing the cache mishandles newlines in values,
- (
-@@ -1411,12 +1759,13 @@
-     case $ac_val in #(
-     *${as_nl}*)
-       case $ac_var in #(
--      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
--echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-+      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
-+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
-       esac
-       case $ac_var in #(
-       _ | IFS | as_nl) ;; #(
--      *) $as_unset $ac_var ;;
-+      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-+      *) { eval $ac_var=; unset $ac_var;} ;;
-       esac ;;
-     esac
-   done
-@@ -1435,128 +1784,136 @@
- )
-     echo
- 
--    cat <<\_ASBOX
--## ----------------- ##
-+    $as_echo "## ----------------- ##
- ## Output variables. ##
--## ----------------- ##
--_ASBOX
-+## ----------------- ##"
-     echo
-     for ac_var in $ac_subst_vars
-     do
-       eval ac_val=\$$ac_var
-       case $ac_val in
--      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-+      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-       esac
--      echo "$ac_var='\''$ac_val'\''"
-+      $as_echo "$ac_var='\''$ac_val'\''"
-     done | sort
-     echo
- 
-     if test -n "$ac_subst_files"; then
--      cat <<\_ASBOX
--## ------------------- ##
-+      $as_echo "## ------------------- ##
- ## File substitutions. ##
--## ------------------- ##
--_ASBOX
-+## ------------------- ##"
-       echo
-       for ac_var in $ac_subst_files
-       do
- 	eval ac_val=\$$ac_var
- 	case $ac_val in
--	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-+	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
- 	esac
--	echo "$ac_var='\''$ac_val'\''"
-+	$as_echo "$ac_var='\''$ac_val'\''"
-       done | sort
-       echo
-     fi
- 
-     if test -s confdefs.h; then
--      cat <<\_ASBOX
--## ----------- ##
-+      $as_echo "## ----------- ##
- ## confdefs.h. ##
--## ----------- ##
--_ASBOX
-+## ----------- ##"
-       echo
-       cat confdefs.h
-       echo
-     fi
-     test "$ac_signal" != 0 &&
--      echo "$as_me: caught signal $ac_signal"
--    echo "$as_me: exit $exit_status"
-+      $as_echo "$as_me: caught signal $ac_signal"
-+    $as_echo "$as_me: exit $exit_status"
-   } >&5
-   rm -f core *.core core.conftest.* &&
-     rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
-     exit $exit_status
- ' 0
- for ac_signal in 1 2 13 15; do
--  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
-+  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
- done
- ac_signal=0
- 
- # confdefs.h avoids OS command line length limits that DEFS can exceed.
- rm -f -r conftest* confdefs.h
- 
-+$as_echo "/* confdefs.h */" > confdefs.h
-+
- # Predefined preprocessor variables.
- 
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_NAME "$PACKAGE_NAME"
- _ACEOF
- 
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
- _ACEOF
- 
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_VERSION "$PACKAGE_VERSION"
- _ACEOF
- 
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_STRING "$PACKAGE_STRING"
- _ACEOF
- 
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
- _ACEOF
- 
-+cat >>confdefs.h <<_ACEOF
-+#define PACKAGE_URL "$PACKAGE_URL"
-+_ACEOF
-+
- 
- # Let the site file select an alternate cache file if it wants to.
--# Prefer explicitly selected file to automatically selected ones.
-+# Prefer an explicitly selected file to automatically selected ones.
-+ac_site_file1=NONE
-+ac_site_file2=NONE
- if test -n "$CONFIG_SITE"; then
--  set x "$CONFIG_SITE"
-+  # We do not want a PATH search for config.site.
-+  case $CONFIG_SITE in #((
-+    -*)  ac_site_file1=./$CONFIG_SITE;;
-+    */*) ac_site_file1=$CONFIG_SITE;;
-+    *)   ac_site_file1=./$CONFIG_SITE;;
-+  esac
- elif test "x$prefix" != xNONE; then
--  set x "$prefix/share/config.site" "$prefix/etc/config.site"
-+  ac_site_file1=$prefix/share/config.site
-+  ac_site_file2=$prefix/etc/config.site
- else
--  set x "$ac_default_prefix/share/config.site" \
--	"$ac_default_prefix/etc/config.site"
-+  ac_site_file1=$ac_default_prefix/share/config.site
-+  ac_site_file2=$ac_default_prefix/etc/config.site
- fi
--shift
--for ac_site_file
-+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
- do
--  if test -r "$ac_site_file"; then
--    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
--echo "$as_me: loading site script $ac_site_file" >&6;}
-+  test "x$ac_site_file" = xNONE && continue
-+  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
-+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
-     sed 's/^/| /' "$ac_site_file" >&5
--    . "$ac_site_file"
-+    . "$ac_site_file" \
-+      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "failed to load site script $ac_site_file
-+See \`config.log' for more details" "$LINENO" 5 ; }
-   fi
- done
- 
- if test -r "$cache_file"; then
--  # Some versions of bash will fail to source /dev/null (special
--  # files actually), so we avoid doing that.
--  if test -f "$cache_file"; then
--    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
--echo "$as_me: loading cache $cache_file" >&6;}
-+  # Some versions of bash will fail to source /dev/null (special files
-+  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
-+  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
-+$as_echo "$as_me: loading cache $cache_file" >&6;}
-     case $cache_file in
-       [\\/]* | ?:[\\/]* ) . "$cache_file";;
-       *)                      . "./$cache_file";;
-     esac
-   fi
- else
--  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
--echo "$as_me: creating cache $cache_file" >&6;}
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
-+$as_echo "$as_me: creating cache $cache_file" >&6;}
-   >$cache_file
- fi
- 
-@@ -1570,60 +1927,56 @@
-   eval ac_new_val=\$ac_env_${ac_var}_value
-   case $ac_old_set,$ac_new_set in
-     set,)
--      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
--echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-+      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-       ac_cache_corrupted=: ;;
-     ,set)
--      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
--echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-+      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
-+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-       ac_cache_corrupted=: ;;
-     ,);;
-     *)
-       if test "x$ac_old_val" != "x$ac_new_val"; then
--	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
--echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
--	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
--echo "$as_me:   former value:  $ac_old_val" >&2;}
--	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
--echo "$as_me:   current value: $ac_new_val" >&2;}
--	ac_cache_corrupted=:
-+	# differences in whitespace do not lead to failure.
-+	ac_old_val_w=`echo x $ac_old_val`
-+	ac_new_val_w=`echo x $ac_new_val`
-+	if test "$ac_old_val_w" != "$ac_new_val_w"; then
-+	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
-+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-+	  ac_cache_corrupted=:
-+	else
-+	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
-+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
-+	  eval $ac_var=\$ac_old_val
-+	fi
-+	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
-+$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
-+	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
-+$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
-       fi;;
-   esac
-   # Pass precious variables to config.status.
-   if test "$ac_new_set" = set; then
-     case $ac_new_val in
--    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-+    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-     *) ac_arg=$ac_var=$ac_new_val ;;
-     esac
-     case " $ac_configure_args " in
-       *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
--      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-+      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
-     esac
-   fi
- done
- if $ac_cache_corrupted; then
--  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
--echo "$as_me: error: changes in the environment can compromise the build" >&2;}
--  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
--echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
--   { (exit 1); exit 1; }; }
--fi
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
-+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-+  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
-+fi
-+## -------------------- ##
-+## Main body of script. ##
-+## -------------------- ##
- 
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
-@@ -1635,6 +1988,9 @@
- 
- 
- 
-+eap_tnc_cflags=
-+eap_tnc_ldflags=-lnaaeap
-+
- if test x$with_rlm_eap_tnc != xno; then
- 
- 	ac_ext=c
-@@ -1645,10 +2001,10 @@
- if test -n "$ac_tool_prefix"; then
-   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
- set dummy ${ac_tool_prefix}gcc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   if test -n "$CC"; then
-   ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1658,25 +2014,25 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  for ac_exec_ext in '' $ac_executable_extensions; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-     ac_cv_prog_CC="${ac_tool_prefix}gcc"
--    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-     break 2
-   fi
- done
--done
-+  done
- IFS=$as_save_IFS
- 
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
--  { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
--  { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
- 
- 
-@@ -1685,10 +2041,10 @@
-   ac_ct_CC=$CC
-   # Extract the first word of "gcc", so it can be a program name with args.
- set dummy gcc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   if test -n "$ac_ct_CC"; then
-   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-@@ -1698,25 +2054,25 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  for ac_exec_ext in '' $ac_executable_extensions; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-     ac_cv_prog_ac_ct_CC="gcc"
--    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-     break 2
-   fi
- done
--done
-+  done
- IFS=$as_save_IFS
- 
- fi
- fi
- ac_ct_CC=$ac_cv_prog_ac_ct_CC
- if test -n "$ac_ct_CC"; then
--  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
--echo "${ECHO_T}$ac_ct_CC" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-+$as_echo "$ac_ct_CC" >&6; }
- else
--  { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
- 
-   if test "x$ac_ct_CC" = x; then
-@@ -1724,12 +2080,8 @@
-   else
-     case $cross_compiling:$ac_tool_warned in
- yes:)
--{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet.  If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&5
--echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet.  If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
- ac_tool_warned=yes ;;
- esac
-     CC=$ac_ct_CC
-@@ -1742,10 +2094,10 @@
-           if test -n "$ac_tool_prefix"; then
-     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
- set dummy ${ac_tool_prefix}cc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   if test -n "$CC"; then
-   ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1755,25 +2107,25 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  for ac_exec_ext in '' $ac_executable_extensions; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-     ac_cv_prog_CC="${ac_tool_prefix}cc"
--    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-     break 2
-   fi
- done
--done
-+  done
- IFS=$as_save_IFS
- 
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
--  { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
--  { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
- 
- 
-@@ -1782,10 +2134,10 @@
- if test -z "$CC"; then
-   # Extract the first word of "cc", so it can be a program name with args.
- set dummy cc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   if test -n "$CC"; then
-   ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1796,18 +2148,18 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  for ac_exec_ext in '' $ac_executable_extensions; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-        ac_prog_rejected=yes
-        continue
-      fi
-     ac_cv_prog_CC="cc"
--    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-     break 2
-   fi
- done
--done
-+  done
- IFS=$as_save_IFS
- 
- if test $ac_prog_rejected = yes; then
-@@ -1826,11 +2178,11 @@
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
--  { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
--  { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
- 
- 
-@@ -1841,10 +2193,10 @@
-   do
-     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
- set dummy $ac_tool_prefix$ac_prog; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   if test -n "$CC"; then
-   ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1854,25 +2206,25 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  for ac_exec_ext in '' $ac_executable_extensions; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
--    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-     break 2
-   fi
- done
--done
-+  done
- IFS=$as_save_IFS
- 
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
--  { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
--  { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
- 
- 
-@@ -1885,10 +2237,10 @@
- do
-   # Extract the first word of "$ac_prog", so it can be a program name with args.
- set dummy $ac_prog; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   if test -n "$ac_ct_CC"; then
-   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-@@ -1898,25 +2250,25 @@
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  for ac_exec_ext in '' $ac_executable_extensions; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-     ac_cv_prog_ac_ct_CC="$ac_prog"
--    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-     break 2
-   fi
- done
--done
-+  done
- IFS=$as_save_IFS
- 
- fi
- fi
- ac_ct_CC=$ac_cv_prog_ac_ct_CC
- if test -n "$ac_ct_CC"; then
--  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
--echo "${ECHO_T}$ac_ct_CC" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-+$as_echo "$ac_ct_CC" >&6; }
- else
--  { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
- 
- 
-@@ -1928,12 +2280,8 @@
-   else
-     case $cross_compiling:$ac_tool_warned in
- yes:)
--{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet.  If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&5
--echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet.  If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
- ac_tool_warned=yes ;;
- esac
-     CC=$ac_ct_CC
-@@ -1943,51 +2291,37 @@
- fi
- 
- 
--test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
--See \`config.log' for more details." >&5
--echo "$as_me: error: no acceptable C compiler found in \$PATH
--See \`config.log' for more details." >&2;}
--   { (exit 1); exit 1; }; }
-+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "no acceptable C compiler found in \$PATH
-+See \`config.log' for more details" "$LINENO" 5 ; }
- 
- # Provide some information about the compiler.
--echo "$as_me:$LINENO: checking for C compiler version" >&5
--ac_compiler=`set X $ac_compile; echo $2`
--{ (ac_try="$ac_compiler --version >&5"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compiler --version >&5") 2>&5
--  ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }
--{ (ac_try="$ac_compiler -v >&5"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compiler -v >&5") 2>&5
--  ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }
--{ (ac_try="$ac_compiler -V >&5"
-+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
-+set X $ac_compile
-+ac_compiler=$2
-+for ac_option in --version -v -V -qversion; do
-+  { { ac_try="$ac_compiler $ac_option >&5"
- case "(($ac_try" in
-   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-   *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compiler -V >&5") 2>&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
-   ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }
-+  if test -s conftest.err; then
-+    sed '10a\
-+... rest of stderr output deleted ...
-+         10q' conftest.err >conftest.er1
-+    cat conftest.er1 >&5
-+  fi
-+  rm -f conftest.er1 conftest.err
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }
-+done
- 
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
- int
-@@ -1999,42 +2333,38 @@
- }
- _ACEOF
- ac_clean_files_save=$ac_clean_files
--ac_clean_files="$ac_clean_files a.out a.exe b.out"
-+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
- # Try to create an executable without -o first, disregard a.out.
- # It will help us diagnose broken compilers, and finding out an intuition
- # of exeext.
--{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
--echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
--ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
--#
--# List of possible output files, starting from the most likely.
--# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
--# only as a last resort.  b.out is created by i960 compilers.
--ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
--#
--# The IRIX 6 linker writes into existing files which may not be
--# executable, retaining their permissions.  Remove them first so a
--# subsequent execution test works.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
-+$as_echo_n "checking whether the C compiler works... " >&6; }
-+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-+
-+# The possible output files:
-+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
-+
- ac_rmfiles=
- for ac_file in $ac_files
- do
-   case $ac_file in
--    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
-     * ) ac_rmfiles="$ac_rmfiles $ac_file";;
-   esac
- done
- rm -f $ac_rmfiles
- 
--if { (ac_try="$ac_link_default"
-+if { { ac_try="$ac_link_default"
- case "(($ac_try" in
-   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-   *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-   (eval "$ac_link_default") 2>&5
-   ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }; then
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; then :
-   # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
- # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
- # in a Makefile.  We should not override ac_cv_exeext if it was cached,
-@@ -2044,14 +2374,14 @@
- do
-   test -f "$ac_file" || continue
-   case $ac_file in
--    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
-+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
- 	;;
-     [ab].out )
- 	# We found the default executable, but exeext='' is most
- 	# certainly right.
- 	break;;
-     *.* )
--        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
-+	if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
- 	then :; else
- 	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
- 	fi
-@@ -2070,116 +2400,132 @@
- else
-   ac_file=''
- fi
--
--{ echo "$as_me:$LINENO: result: $ac_file" >&5
--echo "${ECHO_T}$ac_file" >&6; }
--if test -z "$ac_file"; then
--  echo "$as_me: failed program was:" >&5
-+if test -z "$ac_file"; then :
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+$as_echo "$as_me: failed program was:" >&5
- sed 's/^/| /' conftest.$ac_ext >&5
- 
--{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
--See \`config.log' for more details." >&5
--echo "$as_me: error: C compiler cannot create executables
--See \`config.log' for more details." >&2;}
--   { (exit 77); exit 77; }; }
--fi
--
-+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error 77 "C compiler cannot create executables
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
-+$as_echo_n "checking for C compiler default output file name... " >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
-+$as_echo "$ac_file" >&6; }
- ac_exeext=$ac_cv_exeext
- 
-+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
-+ac_clean_files=$ac_clean_files_save
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
-+$as_echo_n "checking for suffix of executables... " >&6; }
-+if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_link") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; then :
-+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
-+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
-+# work properly (i.e., refer to `conftest.exe'), while it won't with
-+# `rm'.
-+for ac_file in conftest.exe conftest conftest.*; do
-+  test -f "$ac_file" || continue
-+  case $ac_file in
-+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
-+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-+	  break;;
-+    * ) break;;
-+  esac
-+done
-+else
-+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+fi
-+rm -f conftest conftest$ac_cv_exeext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
-+$as_echo "$ac_cv_exeext" >&6; }
-+
-+rm -f conftest.$ac_ext
-+EXEEXT=$ac_cv_exeext
-+ac_exeext=$EXEEXT
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <stdio.h>
-+int
-+main ()
-+{
-+FILE *f = fopen ("conftest.out", "w");
-+ return ferror (f) || fclose (f) != 0;
-+
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+ac_clean_files="$ac_clean_files conftest.out"
- # Check that the compiler produces executables we can run.  If not, either
- # the compiler is broken, or we cross compile.
--{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
--echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
--# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
--# If not cross compiling, check that we can run a simple program.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
-+$as_echo_n "checking whether we are cross compiling... " >&6; }
- if test "$cross_compiling" != yes; then
--  if { ac_try='./$ac_file'
--  { (case "(($ac_try" in
-+  { { ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+  (eval "$ac_link") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }
-+  if { ac_try='./conftest$ac_cv_exeext'
-+  { { case "(($ac_try" in
-   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-   *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-   (eval "$ac_try") 2>&5
-   ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }; }; then
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; }; then
-     cross_compiling=no
-   else
-     if test "$cross_compiling" = maybe; then
- 	cross_compiling=yes
-     else
--	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
--If you meant to cross compile, use \`--host'.
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot run C compiled programs.
-+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot run C compiled programs.
- If you meant to cross compile, use \`--host'.
--See \`config.log' for more details." >&2;}
--   { (exit 1); exit 1; }; }
-+See \`config.log' for more details" "$LINENO" 5 ; }
-     fi
-   fi
- fi
--{ echo "$as_me:$LINENO: result: yes" >&5
--echo "${ECHO_T}yes" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
-+$as_echo "$cross_compiling" >&6; }
- 
--rm -f a.out a.exe conftest$ac_cv_exeext b.out
-+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
- ac_clean_files=$ac_clean_files_save
--# Check that the compiler produces executables we can run.  If not, either
--# the compiler is broken, or we cross compile.
--{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
--echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
--{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
--echo "${ECHO_T}$cross_compiling" >&6; }
--
--{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
--echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
--if { (ac_try="$ac_link"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_link") 2>&5
--  ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }; then
--  # If both `conftest.exe' and `conftest' are `present' (well, observable)
--# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
--# work properly (i.e., refer to `conftest.exe'), while it won't with
--# `rm'.
--for ac_file in conftest.exe conftest conftest.*; do
--  test -f "$ac_file" || continue
--  case $ac_file in
--    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
--    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
--	  break;;
--    * ) break;;
--  esac
--done
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
-+$as_echo_n "checking for suffix of object files... " >&6; }
-+if test "${ac_cv_objext+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
--  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
--See \`config.log' for more details." >&2;}
--   { (exit 1); exit 1; }; }
--fi
--
--rm -f conftest$ac_cv_exeext
--{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
--echo "${ECHO_T}$ac_cv_exeext" >&6; }
--
--rm -f conftest.$ac_ext
--EXEEXT=$ac_cv_exeext
--ac_exeext=$EXEEXT
--{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
--echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
--if test "${ac_cv_objext+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
--else
--  cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
- int
-@@ -2191,51 +2537,46 @@
- }
- _ACEOF
- rm -f conftest.o conftest.obj
--if { (ac_try="$ac_compile"
-+if { { ac_try="$ac_compile"
- case "(($ac_try" in
-   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-   *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-   (eval "$ac_compile") 2>&5
-   ac_status=$?
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); }; then
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; then :
-   for ac_file in conftest.o conftest.obj conftest.*; do
-   test -f "$ac_file" || continue;
-   case $ac_file in
--    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
-+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
-     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
-        break;;
-   esac
- done
- else
--  echo "$as_me: failed program was:" >&5
-+  $as_echo "$as_me: failed program was:" >&5
- sed 's/^/| /' conftest.$ac_ext >&5
- 
--{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot compute suffix of object files: cannot compile
--See \`config.log' for more details." >&2;}
--   { (exit 1); exit 1; }; }
-+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot compute suffix of object files: cannot compile
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
--
- rm -f conftest.$ac_cv_objext conftest.$ac_ext
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
--echo "${ECHO_T}$ac_cv_objext" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
-+$as_echo "$ac_cv_objext" >&6; }
- OBJEXT=$ac_cv_objext
- ac_objext=$OBJEXT
--{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
--echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
--if test "${ac_cv_c_compiler_gnu+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
-+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-+if test "${ac_cv_c_compiler_gnu+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
--  cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
- int
-@@ -2249,54 +2590,34 @@
-   return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compile") 2>conftest.er1
--  ac_status=$?
--  grep -v '^ *+' conftest.er1 >conftest.err
--  rm -f conftest.er1
--  cat conftest.err >&5
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); } && {
--	 test -z "$ac_c_werror_flag" ||
--	 test ! -s conftest.err
--       } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
-   ac_compiler_gnu=yes
- else
--  echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--	ac_compiler_gnu=no
-+  ac_compiler_gnu=no
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- ac_cv_c_compiler_gnu=$ac_compiler_gnu
- 
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
--echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
--GCC=`test $ac_compiler_gnu = yes && echo yes`
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
-+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
-+if test $ac_compiler_gnu = yes; then
-+  GCC=yes
-+else
-+  GCC=
-+fi
- ac_test_CFLAGS=${CFLAGS+set}
- ac_save_CFLAGS=$CFLAGS
--{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
--echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
--if test "${ac_cv_prog_cc_g+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
-+$as_echo_n "checking whether $CC accepts -g... " >&6; }
-+if test "${ac_cv_prog_cc_g+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   ac_save_c_werror_flag=$ac_c_werror_flag
-    ac_c_werror_flag=yes
-    ac_cv_prog_cc_g=no
-    CFLAGS="-g"
--   cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
- int
-@@ -2307,34 +2628,11 @@
-   return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compile") 2>conftest.er1
--  ac_status=$?
--  grep -v '^ *+' conftest.er1 >conftest.err
--  rm -f conftest.er1
--  cat conftest.err >&5
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); } && {
--	 test -z "$ac_c_werror_flag" ||
--	 test ! -s conftest.err
--       } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
-   ac_cv_prog_cc_g=yes
- else
--  echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--	CFLAGS=""
--      cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+  CFLAGS=""
-+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
- int
-@@ -2345,35 +2643,12 @@
-   return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compile") 2>conftest.er1
--  ac_status=$?
--  grep -v '^ *+' conftest.er1 >conftest.err
--  rm -f conftest.er1
--  cat conftest.err >&5
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); } && {
--	 test -z "$ac_c_werror_flag" ||
--	 test ! -s conftest.err
--       } && test -s conftest.$ac_objext; then
--  :
--else
--  echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
-+if ac_fn_c_try_compile "$LINENO"; then :
- 
--	ac_c_werror_flag=$ac_save_c_werror_flag
-+else
-+  ac_c_werror_flag=$ac_save_c_werror_flag
- 	 CFLAGS="-g"
--	 cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
- int
-@@ -2384,42 +2659,18 @@
-   return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compile") 2>conftest.er1
--  ac_status=$?
--  grep -v '^ *+' conftest.er1 >conftest.err
--  rm -f conftest.er1
--  cat conftest.err >&5
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); } && {
--	 test -z "$ac_c_werror_flag" ||
--	 test ! -s conftest.err
--       } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
-   ac_cv_prog_cc_g=yes
--else
--  echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-    ac_c_werror_flag=$ac_save_c_werror_flag
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
--echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
-+$as_echo "$ac_cv_prog_cc_g" >&6; }
- if test "$ac_test_CFLAGS" = set; then
-   CFLAGS=$ac_save_CFLAGS
- elif test $ac_cv_prog_cc_g = yes; then
-@@ -2435,18 +2686,14 @@
-     CFLAGS=
-   fi
- fi
--{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
--echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
--if test "${ac_cv_prog_cc_c89+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
-+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-+if test "${ac_cv_prog_cc_c89+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   ac_cv_prog_cc_c89=no
- ac_save_CC=$CC
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- #include <stdarg.h>
- #include <stdio.h>
-@@ -2503,31 +2750,9 @@
- 	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
- do
-   CC="$ac_save_CC $ac_arg"
--  rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_compile") 2>conftest.er1
--  ac_status=$?
--  grep -v '^ *+' conftest.er1 >conftest.err
--  rm -f conftest.er1
--  cat conftest.err >&5
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); } && {
--	 test -z "$ac_c_werror_flag" ||
--	 test ! -s conftest.err
--       } && test -s conftest.$ac_objext; then
-+  if ac_fn_c_try_compile "$LINENO"; then :
-   ac_cv_prog_cc_c89=$ac_arg
--else
--  echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--
- fi
--
- rm -f core conftest.err conftest.$ac_objext
-   test "x$ac_cv_prog_cc_c89" != "xno" && break
- done
-@@ -2538,17 +2763,19 @@
- # AC_CACHE_VAL
- case "x$ac_cv_prog_cc_c89" in
-   x)
--    { echo "$as_me:$LINENO: result: none needed" >&5
--echo "${ECHO_T}none needed" >&6; } ;;
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
-+$as_echo "none needed" >&6; } ;;
-   xno)
--    { echo "$as_me:$LINENO: result: unsupported" >&5
--echo "${ECHO_T}unsupported" >&6; } ;;
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
-+$as_echo "unsupported" >&6; } ;;
-   *)
-     CC="$CC $ac_cv_prog_cc_c89"
--    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
--echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
-+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
- esac
-+if test "x$ac_cv_prog_cc_c89" != xno; then :
- 
-+fi
- 
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
-@@ -2557,81 +2784,474 @@
- ac_compiler_gnu=$ac_cv_c_compiler_gnu
- 
- 
--
--{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5
--echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; }
--if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5
-+$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; }
-+if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
- else
-   ac_check_lib_save_LIBS=$LIBS
--LIBS="-lTNCS  $LIBS"
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h.  */
-+LIBS="-lnaaeap  $LIBS"
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+   Use char because int might match the return type of a GCC
-+   builtin and then its argument prototype would still apply.  */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char processEAPTNCData ();
-+int
-+main ()
-+{
-+return processEAPTNCData ();
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_link "$LINENO"; then :
-+  ac_cv_lib_naaeap_processEAPTNCData=yes
-+else
-+  ac_cv_lib_naaeap_processEAPTNCData=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext \
-+    conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5
-+$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; }
-+if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then :
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBNAAEAP 1
-+_ACEOF
-+
-+  LIBS="-lnaaeap $LIBS"
-+
-+else
-+  fail="$fail -lnaaeap"
-+fi
-+
-+	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5
-+$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;}
-+		fail="$fail -lNAAEAP"
-+	fi
-+
-+	ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
-+$as_echo_n "checking how to run the C preprocessor... " >&6; }
-+# On Suns, sometimes $CPP names a directory.
-+if test -n "$CPP" && test -d "$CPP"; then
-+  CPP=
-+fi
-+if test -z "$CPP"; then
-+  if test "${ac_cv_prog_CPP+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+      # Double quotes because CPP needs to be expanded
-+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-+    do
-+      ac_preproc_ok=false
-+for ac_c_preproc_warn_flag in '' yes
-+do
-+  # Use a header file that comes with gcc, so configuring glibc
-+  # with a fresh cross-compiler works.
-+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+  # <limits.h> exists even on freestanding compilers.
-+  # On the NeXT, cc -E runs the code through the compiler's parser,
-+  # not just through cpp. "Syntax error" is here to catch this case.
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+		     Syntax error
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+
-+else
-+  # Broken: fails on valid input.
-+continue
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+  # OK, works on sane cases.  Now check whether nonexistent headers
-+  # can be detected and how.
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <ac_nonexistent.h>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+  # Broken: success on invalid input.
-+continue
-+else
-+  # Passes both tests.
-+ac_preproc_ok=:
-+break
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+done
-+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-+rm -f conftest.i conftest.err conftest.$ac_ext
-+if $ac_preproc_ok; then :
-+  break
-+fi
-+
-+    done
-+    ac_cv_prog_CPP=$CPP
-+
-+fi
-+  CPP=$ac_cv_prog_CPP
-+else
-+  ac_cv_prog_CPP=$CPP
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
-+$as_echo "$CPP" >&6; }
-+ac_preproc_ok=false
-+for ac_c_preproc_warn_flag in '' yes
-+do
-+  # Use a header file that comes with gcc, so configuring glibc
-+  # with a fresh cross-compiler works.
-+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+  # <limits.h> exists even on freestanding compilers.
-+  # On the NeXT, cc -E runs the code through the compiler's parser,
-+  # not just through cpp. "Syntax error" is here to catch this case.
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+		     Syntax error
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+
-+else
-+  # Broken: fails on valid input.
-+continue
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+  # OK, works on sane cases.  Now check whether nonexistent headers
-+  # can be detected and how.
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <ac_nonexistent.h>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+  # Broken: success on invalid input.
-+continue
-+else
-+  # Passes both tests.
-+ac_preproc_ok=:
-+break
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+done
-+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-+rm -f conftest.i conftest.err conftest.$ac_ext
-+if $ac_preproc_ok; then :
-+
-+else
-+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+fi
-+
-+ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
-+$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-+if test "${ac_cv_path_GREP+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  if test -z "$GREP"; then
-+  ac_path_GREP_found=false
-+  # Loop through the user's path and test for each of PROGNAME-LIST
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_prog in grep ggrep; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-+      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-+# Check for GNU ac_path_GREP and select it if it is found.
-+  # Check for GNU $ac_path_GREP
-+case `"$ac_path_GREP" --version 2>&1` in
-+*GNU*)
-+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
-+*)
-+  ac_count=0
-+  $as_echo_n 0123456789 >"conftest.in"
-+  while :
-+  do
-+    cat "conftest.in" "conftest.in" >"conftest.tmp"
-+    mv "conftest.tmp" "conftest.in"
-+    cp "conftest.in" "conftest.nl"
-+    $as_echo 'GREP' >> "conftest.nl"
-+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-+    as_fn_arith $ac_count + 1 && ac_count=$as_val
-+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
-+      # Best one so far, save it but keep looking for a better one
-+      ac_cv_path_GREP="$ac_path_GREP"
-+      ac_path_GREP_max=$ac_count
-+    fi
-+    # 10*(2^10) chars as input seems more than enough
-+    test $ac_count -gt 10 && break
-+  done
-+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-+esac
-+
-+      $ac_path_GREP_found && break 3
-+    done
-+  done
-+  done
-+IFS=$as_save_IFS
-+  if test -z "$ac_cv_path_GREP"; then
-+    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
-+  fi
-+else
-+  ac_cv_path_GREP=$GREP
-+fi
-+
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
-+$as_echo "$ac_cv_path_GREP" >&6; }
-+ GREP="$ac_cv_path_GREP"
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
-+$as_echo_n "checking for egrep... " >&6; }
-+if test "${ac_cv_path_EGREP+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
-+   then ac_cv_path_EGREP="$GREP -E"
-+   else
-+     if test -z "$EGREP"; then
-+  ac_path_EGREP_found=false
-+  # Loop through the user's path and test for each of PROGNAME-LIST
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_prog in egrep; do
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-+      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-+# Check for GNU ac_path_EGREP and select it if it is found.
-+  # Check for GNU $ac_path_EGREP
-+case `"$ac_path_EGREP" --version 2>&1` in
-+*GNU*)
-+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
-+*)
-+  ac_count=0
-+  $as_echo_n 0123456789 >"conftest.in"
-+  while :
-+  do
-+    cat "conftest.in" "conftest.in" >"conftest.tmp"
-+    mv "conftest.tmp" "conftest.in"
-+    cp "conftest.in" "conftest.nl"
-+    $as_echo 'EGREP' >> "conftest.nl"
-+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-+    as_fn_arith $ac_count + 1 && ac_count=$as_val
-+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
-+      # Best one so far, save it but keep looking for a better one
-+      ac_cv_path_EGREP="$ac_path_EGREP"
-+      ac_path_EGREP_max=$ac_count
-+    fi
-+    # 10*(2^10) chars as input seems more than enough
-+    test $ac_count -gt 10 && break
-+  done
-+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-+esac
-+
-+      $ac_path_EGREP_found && break 3
-+    done
-+  done
-+  done
-+IFS=$as_save_IFS
-+  if test -z "$ac_cv_path_EGREP"; then
-+    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
-+  fi
-+else
-+  ac_cv_path_EGREP=$EGREP
-+fi
-+
-+   fi
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
-+$as_echo "$ac_cv_path_EGREP" >&6; }
-+ EGREP="$ac_cv_path_EGREP"
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
-+$as_echo_n "checking for ANSI C header files... " >&6; }
-+if test "${ac_cv_header_stdc+set}" = set; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <stdlib.h>
-+#include <stdarg.h>
-+#include <string.h>
-+#include <float.h>
-+
-+int
-+main ()
-+{
-+
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+  ac_cv_header_stdc=yes
-+else
-+  ac_cv_header_stdc=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+
-+if test $ac_cv_header_stdc = yes; then
-+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <string.h>
-+
- _ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-+  $EGREP "memchr" >/dev/null 2>&1; then :
-+
-+else
-+  ac_cv_header_stdc=no
-+fi
-+rm -f conftest*
-+
-+fi
-+
-+if test $ac_cv_header_stdc = yes; then
-+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+#include <stdlib.h>
-+
-+_ACEOF
-+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-+  $EGREP "free" >/dev/null 2>&1; then :
-+
-+else
-+  ac_cv_header_stdc=no
-+fi
-+rm -f conftest*
-+
-+fi
-+
-+if test $ac_cv_header_stdc = yes; then
-+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-+  if test "$cross_compiling" = yes; then :
-+  :
-+else
-+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
--
--/* Override any GCC internal prototype to avoid an error.
--   Use char because int might match the return type of a GCC
--   builtin and then its argument prototype would still apply.  */
--#ifdef __cplusplus
--extern "C"
-+#include <ctype.h>
-+#include <stdlib.h>
-+#if ((' ' & 0x0FF) == 0x020)
-+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-+#else
-+# define ISLOWER(c) \
-+		   (('a' <= (c) && (c) <= 'i') \
-+		     || ('j' <= (c) && (c) <= 'r') \
-+		     || ('s' <= (c) && (c) <= 'z'))
-+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
- #endif
--char exchangeTNCCSMessages ();
-+
-+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
- int
- main ()
- {
--return exchangeTNCCSMessages ();
--  ;
-+  int i;
-+  for (i = 0; i < 256; i++)
-+    if (XOR (islower (i), ISLOWER (i))
-+	|| toupper (i) != TOUPPER (i))
-+      return 2;
-   return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext conftest$ac_exeext
--if { (ac_try="$ac_link"
--case "(($ac_try" in
--  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
--  *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
--  (eval "$ac_link") 2>conftest.er1
--  ac_status=$?
--  grep -v '^ *+' conftest.er1 >conftest.err
--  rm -f conftest.er1
--  cat conftest.err >&5
--  echo "$as_me:$LINENO: \$? = $ac_status" >&5
--  (exit $ac_status); } && {
--	 test -z "$ac_c_werror_flag" ||
--	 test ! -s conftest.err
--       } && test -s conftest$ac_exeext &&
--       $as_test_x conftest$ac_exeext; then
--  ac_cv_lib_TNCS_exchangeTNCCSMessages=yes
-+if ac_fn_c_try_run "$LINENO"; then :
-+
- else
--  echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
-+  ac_cv_header_stdc=no
-+fi
-+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-+  conftest.$ac_objext conftest.beam conftest.$ac_ext
-+fi
- 
--	ac_cv_lib_TNCS_exchangeTNCCSMessages=no
- fi
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
-+$as_echo "$ac_cv_header_stdc" >&6; }
-+if test $ac_cv_header_stdc = yes; then
-+
-+$as_echo "#define STDC_HEADERS 1" >>confdefs.h
- 
--rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
--      conftest$ac_exeext conftest.$ac_ext
--LIBS=$ac_check_lib_save_LIBS
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5
--echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; }
--if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then
-+
-+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-+		  inttypes.h stdint.h unistd.h
-+do :
-+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
-+"
-+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
-   cat >>confdefs.h <<_ACEOF
--#define HAVE_LIBTNCS 1
-+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
- _ACEOF
- 
--  LIBS="-lTNCS $LIBS"
-+fi
-+
-+done
-+
-+
-+for ac_header in naaeap/naaeap.h
-+do :
-+  ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default"
-+if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then :
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_NAAEAP_NAAEAP_H 1
-+_ACEOF
- 
-+else
-+  fail="$fail -Inaaeap.h"
- fi
- 
--	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
--		{ echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5
--echo "$as_me: WARNING: the TNCS library isn't found!" >&2;}
--		fail="$fail -lTNCS"
-+done
-+
-+	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5
-+$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;}
-+		fail="$fail -Inaaeap.h"
- 	fi
- 
- 	targetname=rlm_eap_tnc
-@@ -2642,14 +3262,12 @@
- 
- if test x"$fail" != x""; then
- 	if test x"${enable_strict_dependencies}" = x"yes"; then
--		{ { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5
--echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;}
--   { (exit 1); exit 1; }; }
-+		as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5
- 	else
--		{ echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5
--echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
--		{ echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
--echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5
-+$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
-+$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
- 		targetname=""
- 	fi
- fi
-@@ -2658,11 +3276,7 @@
- 
- 
- 
--
--  unset ac_cv_env_LIBS_set
--  unset ac_cv_env_LIBS_value
--
--  ac_config_files="$ac_config_files Makefile"
-+ac_config_files="$ac_config_files Makefile"
- 
- cat >confcache <<\_ACEOF
- # This file is a shell script that caches the results of configure
-@@ -2691,12 +3305,13 @@
-     case $ac_val in #(
-     *${as_nl}*)
-       case $ac_var in #(
--      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
--echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-+      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
-+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
-       esac
-       case $ac_var in #(
-       _ | IFS | as_nl) ;; #(
--      *) $as_unset $ac_var ;;
-+      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-+      *) { eval $ac_var=; unset $ac_var;} ;;
-       esac ;;
-     esac
-   done
-@@ -2704,8 +3319,8 @@
-   (set) 2>&1 |
-     case $as_nl`(ac_space=' '; set) 2>&1` in #(
-     *${as_nl}ac_space=\ *)
--      # `set' does not quote correctly, so add quotes (double-quote
--      # substitution turns \\\\ into \\, and sed turns \\ into \).
-+      # `set' does not quote correctly, so add quotes: double-quote
-+      # substitution turns \\\\ into \\, and sed turns \\ into \.
-       sed -n \
- 	"s/'/'\\\\''/g;
- 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-@@ -2728,12 +3343,12 @@
- if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
-   if test -w "$cache_file"; then
-     test "x$cache_file" != "x/dev/null" &&
--      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
--echo "$as_me: updating cache $cache_file" >&6;}
-+      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
-+$as_echo "$as_me: updating cache $cache_file" >&6;}
-     cat confcache >$cache_file
-   else
--    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
--echo "$as_me: not updating unwritable cache $cache_file" >&6;}
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
-+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
-   fi
- fi
- rm -f confcache
-@@ -2750,6 +3365,12 @@
- # take arguments), then branch to the quote section.  Otherwise,
- # look for a macro that doesn't take arguments.
- ac_script='
-+:mline
-+/\\$/{
-+ N
-+ s,\\\n,,
-+ b mline
-+}
- t clear
- :clear
- s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
-@@ -2776,14 +3397,15 @@
- 
- ac_libobjs=
- ac_ltlibobjs=
-+U=
- for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
-   # 1. Remove the extension, and $U if already installed.
-   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
--  ac_i=`echo "$ac_i" | sed "$ac_script"`
-+  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
-   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
-   #    will be set to the directory where LIBOBJS objects are built.
--  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
--  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
-+  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-+  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
- done
- LIBOBJS=$ac_libobjs
- 
-@@ -2792,11 +3414,13 @@
- 
- 
- : ${CONFIG_STATUS=./config.status}
-+ac_write_fail=0
- ac_clean_files_save=$ac_clean_files
- ac_clean_files="$ac_clean_files $CONFIG_STATUS"
--{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
--echo "$as_me: creating $CONFIG_STATUS" >&6;}
--cat >$CONFIG_STATUS <<_ACEOF
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
-+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
-+as_write_fail=0
-+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
- #! $SHELL
- # Generated by $as_me.
- # Run this file to recreate the current configuration.
-@@ -2806,59 +3430,79 @@
- debug=false
- ac_cs_recheck=false
- ac_cs_silent=false
--SHELL=\${CONFIG_SHELL-$SHELL}
--_ACEOF
- 
--cat >>$CONFIG_STATUS <<\_ACEOF
--## --------------------- ##
--## M4sh Initialization.  ##
--## --------------------- ##
-+SHELL=\${CONFIG_SHELL-$SHELL}
-+export SHELL
-+_ASEOF
-+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
- 
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
-   emulate sh
-   NULLCMD=:
--  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
-   # is contrary to our usage.  Disable this feature.
-   alias -g '${1+"$@"}'='"$@"'
-   setopt NO_GLOB_SUBST
- else
--  case `(set -o) 2>/dev/null` in
--  *posix*) set -o posix ;;
-+  case `(set -o) 2>/dev/null` in #(
-+  *posix*) :
-+    set -o posix ;; #(
-+  *) :
-+     ;;
- esac
--
- fi
- 
- 
--
--
--# PATH needs CR
--# Avoid depending upon Character Ranges.
--as_cr_letters='abcdefghijklmnopqrstuvwxyz'
--as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
--as_cr_Letters=$as_cr_letters$as_cr_LETTERS
--as_cr_digits='0123456789'
--as_cr_alnum=$as_cr_Letters$as_cr_digits
--
--# The user is always right.
--if test "${PATH_SEPARATOR+set}" != set; then
--  echo "#! /bin/sh" >conf$$.sh
--  echo  "exit 0"   >>conf$$.sh
--  chmod +x conf$$.sh
--  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
--    PATH_SEPARATOR=';'
-+as_nl='
-+'
-+export as_nl
-+# Printing a long string crashes Solaris 7 /usr/bin/printf.
-+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-+# Prefer a ksh shell builtin over an external printf program on Solaris,
-+# but without wasting forks for bash or zsh.
-+if test -z "$BASH_VERSION$ZSH_VERSION" \
-+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
-+  as_echo='print -r --'
-+  as_echo_n='print -rn --'
-+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-+  as_echo='printf %s\n'
-+  as_echo_n='printf %s'
-+else
-+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-+    as_echo_n='/usr/ucb/echo -n'
-   else
--    PATH_SEPARATOR=:
-+    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-+    as_echo_n_body='eval
-+      arg=$1;
-+      case $arg in #(
-+      *"$as_nl"*)
-+	expr "X$arg" : "X\\(.*\\)$as_nl";
-+	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-+      esac;
-+      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-+    '
-+    export as_echo_n_body
-+    as_echo_n='sh -c $as_echo_n_body as_echo'
-   fi
--  rm -f conf$$.sh
-+  export as_echo_body
-+  as_echo='sh -c $as_echo_body as_echo'
- fi
- 
--# Support unset when possible.
--if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
--  as_unset=unset
--else
--  as_unset=false
-+# The user is always right.
-+if test "${PATH_SEPARATOR+set}" != set; then
-+  PATH_SEPARATOR=:
-+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-+      PATH_SEPARATOR=';'
-+  }
- fi
- 
- 
-@@ -2867,20 +3511,18 @@
- # there to prevent editors from complaining about space-tab.
- # (If _AS_PATH_WALK were called with IFS unset, it would disable word
- # splitting by setting IFS to empty value.)
--as_nl='
--'
- IFS=" ""	$as_nl"
- 
- # Find who we are.  Look in the path if we contain no directory separator.
--case $0 in
-+case $0 in #((
-   *[\\/]* ) as_myself=$0 ;;
-   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
- for as_dir in $PATH
- do
-   IFS=$as_save_IFS
-   test -z "$as_dir" && as_dir=.
--  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
--done
-+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-+  done
- IFS=$as_save_IFS
- 
-      ;;
-@@ -2891,32 +3533,111 @@
-   as_myself=$0
- fi
- if test ! -f "$as_myself"; then
--  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
--  { (exit 1); exit 1; }
-+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-+  exit 1
- fi
- 
--# Work around bugs in pre-3.0 UWIN ksh.
--for as_var in ENV MAIL MAILPATH
--do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+# Unset variables that we do not need and which cause bugs (e.g. in
-+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
-+# suppresses any "Segmentation fault" message there.  '((' could
-+# trigger a bug in pdksh 5.2.14.
-+for as_var in BASH_ENV ENV MAIL MAILPATH
-+do eval test x\${$as_var+set} = xset \
-+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
- done
- PS1='$ '
- PS2='> '
- PS4='+ '
- 
- # NLS nuisances.
--for as_var in \
--  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
--  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
--  LC_TELEPHONE LC_TIME
--do
--  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
--    eval $as_var=C; export $as_var
--  else
--    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+LC_ALL=C
-+export LC_ALL
-+LANGUAGE=C
-+export LANGUAGE
-+
-+# CDPATH.
-+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-+
-+
-+# as_fn_error STATUS ERROR [LINENO LOG_FD]
-+# ----------------------------------------
-+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
-+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-+# script with STATUS, using 1 if that was 0.
-+as_fn_error ()
-+{
-+  as_status=$1; test $as_status -eq 0 && as_status=1
-+  if test "$4"; then
-+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
-   fi
--done
-+  $as_echo "$as_me: error: $2" >&2
-+  as_fn_exit $as_status
-+} # as_fn_error
-+
-+
-+# as_fn_set_status STATUS
-+# -----------------------
-+# Set $? to STATUS, without forking.
-+as_fn_set_status ()
-+{
-+  return $1
-+} # as_fn_set_status
-+
-+# as_fn_exit STATUS
-+# -----------------
-+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
-+as_fn_exit ()
-+{
-+  set +e
-+  as_fn_set_status $1
-+  exit $1
-+} # as_fn_exit
-+
-+# as_fn_unset VAR
-+# ---------------
-+# Portably unset VAR.
-+as_fn_unset ()
-+{
-+  { eval $1=; unset $1;}
-+}
-+as_unset=as_fn_unset
-+# as_fn_append VAR VALUE
-+# ----------------------
-+# Append the text in VALUE to the end of the definition contained in VAR. Take
-+# advantage of any shell optimizations that allow amortized linear growth over
-+# repeated appends, instead of the typical quadratic growth present in naive
-+# implementations.
-+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
-+  eval 'as_fn_append ()
-+  {
-+    eval $1+=\$2
-+  }'
-+else
-+  as_fn_append ()
-+  {
-+    eval $1=\$$1\$2
-+  }
-+fi # as_fn_append
-+
-+# as_fn_arith ARG...
-+# ------------------
-+# Perform arithmetic evaluation on the ARGs, and store the result in the
-+# global $as_val. Take advantage of shells that can avoid forks. The arguments
-+# must be portable across $(()) and expr.
-+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
-+  eval 'as_fn_arith ()
-+  {
-+    as_val=$(( $* ))
-+  }'
-+else
-+  as_fn_arith ()
-+  {
-+    as_val=`expr "$@" || test $? -eq 1`
-+  }
-+fi # as_fn_arith
-+
- 
--# Required to use basename.
- if expr a : '\(a\)' >/dev/null 2>&1 &&
-    test "X`expr 00001 : '.*\(...\)'`" = X001; then
-   as_expr=expr
-@@ -2930,13 +3651,17 @@
-   as_basename=false
- fi
- 
-+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-+  as_dirname=dirname
-+else
-+  as_dirname=false
-+fi
- 
--# Name of the executable.
- as_me=`$as_basename -- "$0" ||
- $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
- 	 X"$0" : 'X\(//\)$' \| \
- 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X/"$0" |
-+$as_echo X/"$0" |
-     sed '/^.*\/\([^/][^/]*\)\/*$/{
- 	    s//\1/
- 	    q
-@@ -2951,104 +3676,103 @@
- 	  }
- 	  s/.*/./; q'`
- 
--# CDPATH.
--$as_unset CDPATH
--
--
--
--  as_lineno_1=$LINENO
--  as_lineno_2=$LINENO
--  test "x$as_lineno_1" != "x$as_lineno_2" &&
--  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
--
--  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
--  # uniformly replaced by the line number.  The first 'sed' inserts a
--  # line-number line after each line using $LINENO; the second 'sed'
--  # does the real work.  The second script uses 'N' to pair each
--  # line-number line with the line containing $LINENO, and appends
--  # trailing '-' during substitution so that $LINENO is not a special
--  # case at line end.
--  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
--  # scripts with optimization help from Paolo Bonzini.  Blame Lee
--  # E. McMahon (1931-1989) for sed's syntax.  :-)
--  sed -n '
--    p
--    /[$]LINENO/=
--  ' <$as_myself |
--    sed '
--      s/[$]LINENO.*/&-/
--      t lineno
--      b
--      :lineno
--      N
--      :loop
--      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
--      t loop
--      s/-\n.*//
--    ' >$as_me.lineno &&
--  chmod +x "$as_me.lineno" ||
--    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
--   { (exit 1); exit 1; }; }
--
--  # Don't try to exec as it changes $[0], causing all sort of problems
--  # (the dirname of $[0] is not the place where we might find the
--  # original and so on.  Autoconf is especially sensitive to this).
--  . "./$as_me.lineno"
--  # Exit status is that of the last command.
--  exit
--}
--
--
--if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
--  as_dirname=dirname
--else
--  as_dirname=false
--fi
-+# Avoid depending upon Character Ranges.
-+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-+as_cr_digits='0123456789'
-+as_cr_alnum=$as_cr_Letters$as_cr_digits
- 
- ECHO_C= ECHO_N= ECHO_T=
--case `echo -n x` in
-+case `echo -n x` in #(((((
- -n*)
--  case `echo 'x\c'` in
-+  case `echo 'xy\c'` in
-   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
--  *)   ECHO_C='\c';;
-+  xy)  ECHO_C='\c';;
-+  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
-+       ECHO_T='	';;
-   esac;;
- *)
-   ECHO_N='-n';;
- esac
- 
--if expr a : '\(a\)' >/dev/null 2>&1 &&
--   test "X`expr 00001 : '.*\(...\)'`" = X001; then
--  as_expr=expr
--else
--  as_expr=false
--fi
--
- rm -f conf$$ conf$$.exe conf$$.file
- if test -d conf$$.dir; then
-   rm -f conf$$.dir/conf$$.file
- else
-   rm -f conf$$.dir
--  mkdir conf$$.dir
-+  mkdir conf$$.dir 2>/dev/null
- fi
--echo >conf$$.file
--if ln -s conf$$.file conf$$ 2>/dev/null; then
--  as_ln_s='ln -s'
--  # ... but there are two gotchas:
--  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
--  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
--  # In both cases, we have to default to `cp -p'.
--  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+if (echo >conf$$.file) 2>/dev/null; then
-+  if ln -s conf$$.file conf$$ 2>/dev/null; then
-+    as_ln_s='ln -s'
-+    # ... but there are two gotchas:
-+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-+    # In both cases, we have to default to `cp -p'.
-+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+      as_ln_s='cp -p'
-+  elif ln conf$$.file conf$$ 2>/dev/null; then
-+    as_ln_s=ln
-+  else
-     as_ln_s='cp -p'
--elif ln conf$$.file conf$$ 2>/dev/null; then
--  as_ln_s=ln
-+  fi
- else
-   as_ln_s='cp -p'
- fi
- rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
- rmdir conf$$.dir 2>/dev/null
- 
-+
-+# as_fn_mkdir_p
-+# -------------
-+# Create "$as_dir" as a directory, including parents if necessary.
-+as_fn_mkdir_p ()
-+{
-+
-+  case $as_dir in #(
-+  -*) as_dir=./$as_dir;;
-+  esac
-+  test -d "$as_dir" || eval $as_mkdir_p || {
-+    as_dirs=
-+    while :; do
-+      case $as_dir in #(
-+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-+      *) as_qdir=$as_dir;;
-+      esac
-+      as_dirs="'$as_qdir' $as_dirs"
-+      as_dir=`$as_dirname -- "$as_dir" ||
-+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+	 X"$as_dir" : 'X\(//\)[^/]' \| \
-+	 X"$as_dir" : 'X\(//\)$' \| \
-+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_dir" |
-+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\(\/\/\)[^/].*/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\(\/\/\)$/{
-+	    s//\1/
-+	    q
-+	  }
-+	  /^X\(\/\).*/{
-+	    s//\1/
-+	    q
-+	  }
-+	  s/.*/./; q'`
-+      test -d "$as_dir" && break
-+    done
-+    test -z "$as_dirs" || eval "mkdir $as_dirs"
-+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
-+
-+
-+} # as_fn_mkdir_p
- if mkdir -p . 2>/dev/null; then
--  as_mkdir_p=:
-+  as_mkdir_p='mkdir -p "$as_dir"'
- else
-   test -d ./-p && rmdir ./-p
-   as_mkdir_p=false
-@@ -3065,12 +3789,12 @@
-   as_test_x='
-     eval sh -c '\''
-       if test -d "$1"; then
--        test -d "$1/.";
-+	test -d "$1/.";
-       else
--	case $1 in
--        -*)set "./$1";;
-+	case $1 in #(
-+	-*)set "./$1";;
- 	esac;
--	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- 	???[sx]*):;;*)false;;esac;fi
-     '\'' sh
-   '
-@@ -3085,13 +3809,19 @@
- 
- 
- exec 6>&1
-+## ----------------------------------- ##
-+## Main body of $CONFIG_STATUS script. ##
-+## ----------------------------------- ##
-+_ASEOF
-+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
- 
--# Save the log message, to keep $[0] and so on meaningful, and to
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+# Save the log message, to keep $0 and so on meaningful, and to
- # report actual input values of CONFIG_FILES etc. instead of their
- # values after options handling.
- ac_log="
- This file was extended by $as_me, which was
--generated by GNU Autoconf 2.61.  Invocation command line was
-+generated by GNU Autoconf 2.67.  Invocation command line was
- 
-   CONFIG_FILES    = $CONFIG_FILES
-   CONFIG_HEADERS  = $CONFIG_HEADERS
-@@ -3104,59 +3834,74 @@
- 
- _ACEOF
- 
--cat >>$CONFIG_STATUS <<_ACEOF
-+case $ac_config_files in *"
-+"*) set x $ac_config_files; shift; ac_config_files=$*;;
-+esac
-+
-+
-+
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- # Files that config.status was made for.
- config_files="$ac_config_files"
- 
- _ACEOF
- 
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- ac_cs_usage="\
--\`$as_me' instantiates files from templates according to the
--current configuration.
-+\`$as_me' instantiates files and other configuration actions
-+from templates according to the current configuration.  Unless the files
-+and actions are specified as TAGs, all are instantiated by default.
- 
--Usage: $0 [OPTIONS] [FILE]...
-+Usage: $0 [OPTION]... [TAG]...
- 
-   -h, --help       print this help, then exit
-   -V, --version    print version number and configuration settings, then exit
--  -q, --quiet      do not print progress messages
-+      --config     print configuration, then exit
-+  -q, --quiet, --silent
-+                   do not print progress messages
-   -d, --debug      don't remove temporary files
-       --recheck    update $as_me by reconfiguring in the same conditions
--  --file=FILE[:TEMPLATE]
--		   instantiate the configuration file FILE
-+      --file=FILE[:TEMPLATE]
-+                   instantiate the configuration file FILE
- 
- Configuration files:
- $config_files
- 
--Report bugs to <bug-autoconf@gnu.org>."
-+Report bugs to the package provider."
- 
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
- ac_cs_version="\\
- config.status
--configured by $0, generated by GNU Autoconf 2.61,
--  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
-+configured by $0, generated by GNU Autoconf 2.67,
-+  with options \\"\$ac_cs_config\\"
- 
--Copyright (C) 2006 Free Software Foundation, Inc.
-+Copyright (C) 2010 Free Software Foundation, Inc.
- This config.status script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it."
- 
- ac_pwd='$ac_pwd'
- srcdir='$srcdir'
-+test -n "\$AWK" || AWK=awk
- _ACEOF
- 
--cat >>$CONFIG_STATUS <<\_ACEOF
--# If no file are specified by the user, then we need to provide default
--# value.  By we need to know if files were specified by the user.
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+# The default lists apply if the user does not specify any file.
- ac_need_defaults=:
- while test $# != 0
- do
-   case $1 in
--  --*=*)
-+  --*=?*)
-     ac_option=`expr "X$1" : 'X\([^=]*\)='`
-     ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
-     ac_shift=:
-     ;;
-+  --*=)
-+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
-+    ac_optarg=
-+    ac_shift=:
-+    ;;
-   *)
-     ac_option=$1
-     ac_optarg=$2
-@@ -3169,25 +3914,30 @@
-   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-     ac_cs_recheck=: ;;
-   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
--    echo "$ac_cs_version"; exit ;;
-+    $as_echo "$ac_cs_version"; exit ;;
-+  --config | --confi | --conf | --con | --co | --c )
-+    $as_echo "$ac_cs_config"; exit ;;
-   --debug | --debu | --deb | --de | --d | -d )
-     debug=: ;;
-   --file | --fil | --fi | --f )
-     $ac_shift
--    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-+    case $ac_optarg in
-+    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
-+    '') as_fn_error $? "missing file argument" ;;
-+    esac
-+    as_fn_append CONFIG_FILES " '$ac_optarg'"
-     ac_need_defaults=false;;
-   --he | --h |  --help | --hel | -h )
--    echo "$ac_cs_usage"; exit ;;
-+    $as_echo "$ac_cs_usage"; exit ;;
-   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-   | -silent | --silent | --silen | --sile | --sil | --si | --s)
-     ac_cs_silent=: ;;
- 
-   # This is an error.
--  -*) { echo "$as_me: error: unrecognized option: $1
--Try \`$0 --help' for more information." >&2
--   { (exit 1); exit 1; }; } ;;
-+  -*) as_fn_error $? "unrecognized option: \`$1'
-+Try \`$0 --help' for more information." ;;
- 
--  *) ac_config_targets="$ac_config_targets $1"
-+  *) as_fn_append ac_config_targets " $1"
-      ac_need_defaults=false ;;
- 
-   esac
-@@ -3202,30 +3952,32 @@
- fi
- 
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- if \$ac_cs_recheck; then
--  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
--  CONFIG_SHELL=$SHELL
-+  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+  shift
-+  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
-+  CONFIG_SHELL='$SHELL'
-   export CONFIG_SHELL
--  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+  exec "\$@"
- fi
- 
- _ACEOF
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- exec 5>>config.log
- {
-   echo
-   sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
- ## Running $as_me. ##
- _ASBOX
--  echo "$ac_log"
-+  $as_echo "$ac_log"
- } >&5
- 
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- _ACEOF
- 
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- 
- # Handling of arguments.
- for ac_config_target in $ac_config_targets
-@@ -3233,9 +3985,7 @@
-   case $ac_config_target in
-     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
- 
--  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
--echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
--   { (exit 1); exit 1; }; };;
-+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
-   esac
- done
- 
-@@ -3260,7 +4010,7 @@
-   trap 'exit_status=$?
-   { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
- ' 0
--  trap '{ (exit 1); exit 1; }' 1 2 13 15
-+  trap 'as_fn_exit 1' 1 2 13 15
- }
- # Create a (secure) tmp directory for tmp files.
- 
-@@ -3271,145 +4021,177 @@
- {
-   tmp=./conf$$-$RANDOM
-   (umask 077 && mkdir "$tmp")
--} ||
--{
--   echo "$me: cannot create a temporary directory in ." >&2
--   { (exit 1); exit 1; }
--}
--
--#
--# Set up the sed scripts for CONFIG_FILES section.
--#
-+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
- 
--# No need to generate the scripts if there are no CONFIG_FILES.
--# This happens for instance when ./config.status config.h
-+# Set up the scripts for CONFIG_FILES section.
-+# No need to generate them if there are no CONFIG_FILES.
-+# This happens for instance with `./config.status config.h'.
- if test -n "$CONFIG_FILES"; then
- 
--_ACEOF
- 
-+ac_cr=`echo X | tr X '\015'`
-+# On cygwin, bash can eat \r inside `` if the user requested igncr.
-+# But we know of no other shell where ac_cr would be empty at this
-+# point, so we can use a bashism as a fallback.
-+if test "x$ac_cr" = x; then
-+  eval ac_cr=\$\'\\r\'
-+fi
-+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
-+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-+  ac_cs_awk_cr='\\r'
-+else
-+  ac_cs_awk_cr=$ac_cr
-+fi
-+
-+echo 'BEGIN {' >"$tmp/subs1.awk" &&
-+_ACEOF
- 
- 
-+{
-+  echo "cat >conf$$subs.awk <<_ACEOF" &&
-+  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
-+  echo "_ACEOF"
-+} >conf$$subs.sh ||
-+  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
-+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
- ac_delim='%!_!# '
- for ac_last_try in false false false false false :; do
--  cat >conf$$subs.sed <<_ACEOF
--SHELL!$SHELL$ac_delim
--PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
--PACKAGE_NAME!$PACKAGE_NAME$ac_delim
--PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
--PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
--PACKAGE_STRING!$PACKAGE_STRING$ac_delim
--PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
--exec_prefix!$exec_prefix$ac_delim
--prefix!$prefix$ac_delim
--program_transform_name!$program_transform_name$ac_delim
--bindir!$bindir$ac_delim
--sbindir!$sbindir$ac_delim
--libexecdir!$libexecdir$ac_delim
--datarootdir!$datarootdir$ac_delim
--datadir!$datadir$ac_delim
--sysconfdir!$sysconfdir$ac_delim
--sharedstatedir!$sharedstatedir$ac_delim
--localstatedir!$localstatedir$ac_delim
--includedir!$includedir$ac_delim
--oldincludedir!$oldincludedir$ac_delim
--docdir!$docdir$ac_delim
--infodir!$infodir$ac_delim
--htmldir!$htmldir$ac_delim
--dvidir!$dvidir$ac_delim
--pdfdir!$pdfdir$ac_delim
--psdir!$psdir$ac_delim
--libdir!$libdir$ac_delim
--localedir!$localedir$ac_delim
--mandir!$mandir$ac_delim
--DEFS!$DEFS$ac_delim
--ECHO_C!$ECHO_C$ac_delim
--ECHO_N!$ECHO_N$ac_delim
--ECHO_T!$ECHO_T$ac_delim
--LIBS!$LIBS$ac_delim
--build_alias!$build_alias$ac_delim
--host_alias!$host_alias$ac_delim
--target_alias!$target_alias$ac_delim
--CC!$CC$ac_delim
--CFLAGS!$CFLAGS$ac_delim
--LDFLAGS!$LDFLAGS$ac_delim
--CPPFLAGS!$CPPFLAGS$ac_delim
--ac_ct_CC!$ac_ct_CC$ac_delim
--EXEEXT!$EXEEXT$ac_delim
--OBJEXT!$OBJEXT$ac_delim
--eap_tnc_cflags!$eap_tnc_cflags$ac_delim
--eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim
--targetname!$targetname$ac_delim
--LIBOBJS!$LIBOBJS$ac_delim
--LTLIBOBJS!$LTLIBOBJS$ac_delim
--_ACEOF
-+  . ./conf$$subs.sh ||
-+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
- 
--  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then
-+  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
-+  if test $ac_delim_n = $ac_delim_num; then
-     break
-   elif $ac_last_try; then
--    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
--echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
--   { (exit 1); exit 1; }; }
-+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
-   else
-     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-   fi
- done
-+rm -f conf$$subs.sh
- 
--ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
--if test -n "$ac_eof"; then
--  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
--  ac_eof=`expr $ac_eof + 1`
--fi
--
--cat >>$CONFIG_STATUS <<_ACEOF
--cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
--/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
--_ACEOF
--sed '
--s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
--s/^/s,@/; s/!/@,|#_!!_#|/
--:n
--t n
--s/'"$ac_delim"'$/,g/; t
--s/$/\\/; p
--N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
--' >>$CONFIG_STATUS <conf$$subs.sed
--rm -f conf$$subs.sed
--cat >>$CONFIG_STATUS <<_ACEOF
--:end
--s/|#_!!_#|//g
--CEOF$ac_eof
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
- _ACEOF
-+sed -n '
-+h
-+s/^/S["/; s/!.*/"]=/
-+p
-+g
-+s/^[^!]*!//
-+:repl
-+t repl
-+s/'"$ac_delim"'$//
-+t delim
-+:nl
-+h
-+s/\(.\{148\}\)..*/\1/
-+t more1
-+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
-+p
-+n
-+b repl
-+:more1
-+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-+p
-+g
-+s/.\{148\}//
-+t nl
-+:delim
-+h
-+s/\(.\{148\}\)..*/\1/
-+t more2
-+s/["\\]/\\&/g; s/^/"/; s/$/"/
-+p
-+b
-+:more2
-+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-+p
-+g
-+s/.\{148\}//
-+t delim
-+' <conf$$subs.awk | sed '
-+/^[^""]/{
-+  N
-+  s/\n//
-+}
-+' >>$CONFIG_STATUS || ac_write_fail=1
-+rm -f conf$$subs.awk
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+_ACAWK
-+cat >>"\$tmp/subs1.awk" <<_ACAWK &&
-+  for (key in S) S_is_set[key] = 1
-+  FS = ""
-+
-+}
-+{
-+  line = $ 0
-+  nfields = split(line, field, "@")
-+  substed = 0
-+  len = length(field[1])
-+  for (i = 2; i < nfields; i++) {
-+    key = field[i]
-+    keylen = length(key)
-+    if (S_is_set[key]) {
-+      value = S[key]
-+      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
-+      len += length(value) + length(field[++i])
-+      substed = 1
-+    } else
-+      len += 1 + keylen
-+  }
-+
-+  print line
-+}
- 
-+_ACAWK
-+_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
-+  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
-+else
-+  cat
-+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-+  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
-+_ACEOF
- 
--# VPATH may cause trouble with some makes, so we remove $(srcdir),
--# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
-+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
- # trailing colons and then remove the whole line if VPATH becomes empty
- # (actually we leave an empty line to preserve line numbers).
- if test "x$srcdir" = x.; then
--  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
--s/:*\$(srcdir):*/:/
--s/:*\${srcdir}:*/:/
--s/:*@srcdir@:*/:/
--s/^\([^=]*=[	 ]*\):*/\1/
-+  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
-+h
-+s///
-+s/^/:/
-+s/[	 ]*$/:/
-+s/:\$(srcdir):/:/g
-+s/:\${srcdir}:/:/g
-+s/:@srcdir@:/:/g
-+s/^:*//
- s/:*$//
-+x
-+s/\(=[	 ]*\).*/\1/
-+G
-+s/\n//
- s/^[^=]*=[	 ]*$//
- }'
- fi
- 
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- fi # test -n "$CONFIG_FILES"
- 
- 
--for ac_tag in  :F $CONFIG_FILES
-+eval set X "  :F $CONFIG_FILES      "
-+shift
-+for ac_tag
- do
-   case $ac_tag in
-   :[FHLC]) ac_mode=$ac_tag; continue;;
-   esac
-   case $ac_mode$ac_tag in
-   :[FHL]*:*);;
--  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
--echo "$as_me: error: Invalid tag $ac_tag." >&2;}
--   { (exit 1); exit 1; }; };;
-+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
-   :[FH]-) ac_tag=-:-;;
-   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
-   esac
-@@ -3437,26 +4219,34 @@
- 	   [\\/$]*) false;;
- 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
- 	   esac ||
--	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
--echo "$as_me: error: cannot find input file: $ac_f" >&2;}
--   { (exit 1); exit 1; }; };;
-+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
-       esac
--      ac_file_inputs="$ac_file_inputs $ac_f"
-+      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
-+      as_fn_append ac_file_inputs " '$ac_f'"
-     done
- 
-     # Let's still pretend it is `configure' which instantiates (i.e., don't
-     # use $as_me), people would be surprised to read:
-     #    /* config.h.  Generated by config.status.  */
--    configure_input="Generated from "`IFS=:
--	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
-+    configure_input='Generated from '`
-+	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
-+	`' by configure.'
-     if test x"$ac_file" != x-; then
-       configure_input="$ac_file.  $configure_input"
--      { echo "$as_me:$LINENO: creating $ac_file" >&5
--echo "$as_me: creating $ac_file" >&6;}
-+      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
-+$as_echo "$as_me: creating $ac_file" >&6;}
-     fi
-+    # Neutralize special characters interpreted by sed in replacement strings.
-+    case $configure_input in #(
-+    *\&* | *\|* | *\\* )
-+       ac_sed_conf_input=`$as_echo "$configure_input" |
-+       sed 's/[\\\\&|]/\\\\&/g'`;; #(
-+    *) ac_sed_conf_input=$configure_input;;
-+    esac
- 
-     case $ac_tag in
--    *:-:* | *:-) cat >"$tmp/stdin";;
-+    *:-:* | *:-) cat >"$tmp/stdin" \
-+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
-     esac
-     ;;
-   esac
-@@ -3466,42 +4256,7 @@
- 	 X"$ac_file" : 'X\(//\)[^/]' \| \
- 	 X"$ac_file" : 'X\(//\)$' \| \
- 	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$ac_file" |
--    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
--	    s//\1/
--	    q
--	  }
--	  /^X\(\/\/\)[^/].*/{
--	    s//\1/
--	    q
--	  }
--	  /^X\(\/\/\)$/{
--	    s//\1/
--	    q
--	  }
--	  /^X\(\/\).*/{
--	    s//\1/
--	    q
--	  }
--	  s/.*/./; q'`
--  { as_dir="$ac_dir"
--  case $as_dir in #(
--  -*) as_dir=./$as_dir;;
--  esac
--  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
--    as_dirs=
--    while :; do
--      case $as_dir in #(
--      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
--      *) as_qdir=$as_dir;;
--      esac
--      as_dirs="'$as_qdir' $as_dirs"
--      as_dir=`$as_dirname -- "$as_dir" ||
--$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
--	 X"$as_dir" : 'X\(//\)[^/]' \| \
--	 X"$as_dir" : 'X\(//\)$' \| \
--	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$as_dir" |
-+$as_echo X"$ac_file" |
-     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- 	    s//\1/
- 	    q
-@@ -3519,20 +4274,15 @@
- 	    q
- 	  }
- 	  s/.*/./; q'`
--      test -d "$as_dir" && break
--    done
--    test -z "$as_dirs" || eval "mkdir $as_dirs"
--  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
--echo "$as_me: error: cannot create directory $as_dir" >&2;}
--   { (exit 1); exit 1; }; }; }
-+  as_dir="$ac_dir"; as_fn_mkdir_p
-   ac_builddir=.
- 
- case "$ac_dir" in
- .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *)
--  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-+  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
-   # A ".." for each directory in $ac_dir_suffix.
--  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-+  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
-   case $ac_top_builddir_sub in
-   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
-   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-@@ -3568,12 +4318,12 @@
- 
- _ACEOF
- 
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- # If the template does not know about datarootdir, expand it.
- # FIXME: This hack should be removed a few years after 2.60.
- ac_datarootdir_hack=; ac_datarootdir_seen=
--
--case `sed -n '/datarootdir/ {
-+ac_sed_dataroot='
-+/datarootdir/ {
-   p
-   q
- }
-@@ -3581,36 +4331,37 @@
- /@docdir@/p
- /@infodir@/p
- /@localedir@/p
--/@mandir@/p
--' $ac_file_inputs` in
-+/@mandir@/p'
-+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
- *datarootdir*) ac_datarootdir_seen=yes;;
- *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
--  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
--echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-   ac_datarootdir_hack='
-   s&@datadir@&$datadir&g
-   s&@docdir@&$docdir&g
-   s&@infodir@&$infodir&g
-   s&@localedir@&$localedir&g
-   s&@mandir@&$mandir&g
--    s&\\\${datarootdir}&$datarootdir&g' ;;
-+  s&\\\${datarootdir}&$datarootdir&g' ;;
- esac
- _ACEOF
- 
- # Neutralize VPATH when `$srcdir' = `.'.
- # Shell code in configure.ac might set extrasub.
- # FIXME: do we really want to maintain this feature?
--cat >>$CONFIG_STATUS <<_ACEOF
--  sed "$ac_vpsub
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+ac_sed_extra="$ac_vpsub
- $extrasub
- _ACEOF
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- :t
- /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
--s&@configure_input@&$configure_input&;t t
-+s|@configure_input@|$ac_sed_conf_input|;t t
- s&@top_builddir@&$ac_top_builddir_sub&;t t
-+s&@top_build_prefix@&$ac_top_build_prefix&;t t
- s&@srcdir@&$ac_srcdir&;t t
- s&@abs_srcdir@&$ac_abs_srcdir&;t t
- s&@top_srcdir@&$ac_top_srcdir&;t t
-@@ -3619,21 +4370,24 @@
- s&@abs_builddir@&$ac_abs_builddir&;t t
- s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
- $ac_datarootdir_hack
--" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
-+"
-+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
- 
- test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
-   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
-   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
--  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
--which seems to be undefined.  Please make sure it is defined." >&5
--echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
--which seems to be undefined.  Please make sure it is defined." >&2;}
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-+which seems to be undefined.  Please make sure it is defined" >&5
-+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-+which seems to be undefined.  Please make sure it is defined" >&2;}
- 
-   rm -f "$tmp/stdin"
-   case $ac_file in
--  -) cat "$tmp/out"; rm -f "$tmp/out";;
--  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
--  esac
-+  -) cat "$tmp/out" && rm -f "$tmp/out";;
-+  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
-+  esac \
-+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
-  ;;
- 
- 
-@@ -3643,11 +4397,13 @@
- done # for ac_tag
- 
- 
--{ (exit 0); exit 0; }
-+as_fn_exit 0
- _ACEOF
--chmod +x $CONFIG_STATUS
- ac_clean_files=$ac_clean_files_save
- 
-+test $ac_write_fail = 0 ||
-+  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
-+
- 
- # configure is writing to config.log, and then calls config.status.
- # config.status does its own redirection, appending to config.log.
-@@ -3667,7 +4423,10 @@
-   exec 5>>config.log
-   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
-   # would make configure fail if this is the last instruction.
--  $ac_cs_success || { (exit 1); exit 1; }
-+  $ac_cs_success || as_fn_exit 1
-+fi
-+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
-+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
- fi
--
- 
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-12-04 19:38:00.241420966 +0100
-@@ -2,12 +2,21 @@
- AC_REVISION($Revision$)
- AC_DEFUN(modname,[rlm_eap_tnc])
- 
-+eap_tnc_cflags=
-+eap_tnc_ldflags=-lnaaeap
-+
- if test x$with_[]modname != xno; then
- 
--	AC_CHECK_LIB(TNCS, exchangeTNCCSMessages)
--	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
--		AC_MSG_WARN([the TNCS library isn't found!])
--		fail="$fail -lTNCS"
-+	AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",)
-+	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
-+		AC_MSG_WARN([the NAAEAP library was not found!])
-+		fail="$fail -lNAAEAP"
-+	fi
-+	
-+	AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",)
-+	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
-+		AC_MSG_WARN([the naaeap header was not found!])
-+		fail="$fail -Inaaeap.h"
- 	fi
- 
- 	targetname=modname
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
-@@ -1,12 +1,12 @@
- /*
-  *   eap_tnc.c  EAP TNC functionality.
-  *
-- *   This software is Copyright (C) 2006,2007 FH Hannover
-+ *   This software is Copyright (C) 2006-2009 FH Hannover
-  *
-  *   Portions of this code unrelated to FreeRADIUS are available
-  *   separately under a commercial license.  If you require an
-  *   implementation of EAP-TNC that is not under the GPLv2, please
-- *   contact tnc@inform.fh-hannover.de for details.
-+ *   contact trust@f4-i.fh-hannover.de for details.
-  *
-  *   This program is free software; you can redistribute it and/or modify
-  *   it under the terms of the GNU General Public License as published by
-@@ -23,230 +23,41 @@
-  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-  *
-  */
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 213ede51c46a8c533961be8715395c0ab1f6b5c9 $")
--
--
--/*
-- *
-- *  MD5 Packet Format in EAP Type-Data
-- *  --- ------ ------ -- --- ---------
-- *  0                   1                   2                   3
-- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |  Value-Size   |  Value ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |  Name ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- *
-- * EAP-TNC Packet Format in EAP Type-Data
-- * 
-- *  0                   1                   2                   3
-- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |  Flags  |Ver  | Data Length ...                                   
-- * |L M S R R|=1   |                                               
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |...            |  Data ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- 
-- *
-- */
--
- #include <stdio.h>
- #include <stdlib.h>
- #include "eap.h"
- 
- #include "eap_tnc.h"
- 
--     /*
--      *	WTF is wrong with htonl ?
--      */
--static uint32_t ByteSwap2 (uint32_t nLongNumber)
--{
--   return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+
--   ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24));
--}
--
- /*
-- *      Allocate a new TNC_PACKET
-+ *	Forms an EAP_REQUEST packet from the EAP_TNC specific data.
-  */
--TNC_PACKET *eaptnc_alloc(void)
-+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code)
- {
--	TNC_PACKET   *rp;
--
--	if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) {
--		radlog(L_ERR, "rlm_eap_tnc: out of memory");
--		return NULL;
-+	// check parameters
-+	if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){
-+		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code);
-+		return 0;
- 	}
--	memset(rp, 0, sizeof(TNC_PACKET));
--	return rp;
--}
--
--/*
-- *      Free TNC_PACKET
-- */
--void eaptnc_free(TNC_PACKET **tnc_packet_ptr)
--{
--	TNC_PACKET *tnc_packet;
--
--	if (!tnc_packet_ptr) return;
--	tnc_packet = *tnc_packet_ptr;
--	if (tnc_packet == NULL) return;
--
--	if (tnc_packet->data) free(tnc_packet->data);
- 
--	free(tnc_packet);
--
--	*tnc_packet_ptr = NULL;
--}
--
--/*
-- *	We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back
-- */
--TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds)
--{
--	tnc_packet_t	*data;
--	TNC_PACKET	*packet;
--	/*
--	 *	We need a response, of type EAP-TNC
--     */
--	if (!eap_ds 					 ||
--	    !eap_ds->response 				 ||
--	    (eap_ds->response->code != PW_TNC_RESPONSE)	 ||
--	    eap_ds->response->type.type != PW_EAP_TNC	 ||
--	    !eap_ds->response->type.data 		 ||
--	    (eap_ds->response->length <= TNC_HEADER_LEN) ||
--	    (eap_ds->response->type.data[0] <= 0)) {
--		radlog(L_ERR, "rlm_eap_tnc: corrupted data");
--		return NULL;
-+	// further check parameters
-+	if(handler->opaque == NULL || handler->eap_ds == NULL){
-+		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds);
-+		return 0;
- 	}
--	packet = eaptnc_alloc();
--	if (!packet) return NULL;
--
- 
--	packet->code = eap_ds->response->code;
--	packet->id = eap_ds->response->id;
--	packet->length = eap_ds->response->length; 
--
--	data = (tnc_packet_t *)eap_ds->response->type.data;
--	/*
--	 *	Already checked the size above.
--	 */
--    packet->flags_ver = data->flags_ver;
--    unsigned char *ptr = (unsigned char*)data;
--
--
--	DEBUG2("Flags/Ver: %x\n", packet->flags_ver);
--	int thisDataLength;
--    int dataStart;
--    if(TNC_LENGTH_INCLUDED(packet->flags_ver)){
--        DEBUG2("data_length included\n");
--//        memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4);
--        //packet->data_length = data->data_length;
--        memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH);
--        DEBUG2("data_length: %x\n", packet->data_length);
--        DEBUG2("data_length: %d\n", packet->data_length);
--        DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length));
--        DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length));
--        packet->data_length = ByteSwap2(packet->data_length);
--		thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver
--        dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH;
--    }else{
--        DEBUG2("no data_length included\n");
--	 	thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
--        packet->data_length = 0;
--        dataStart = TNC_FLAGS_VERSION_LENGTH;
--        
--    }
--	/*
--	 *	Allocate room for the data, and copy over the data.
--	 */
--	packet->data = malloc(thisDataLength);
--	if (packet->data == NULL) {
--		radlog(L_ERR, "rlm_eap_tnc: out of memory");
--		eaptnc_free(&packet);
--		return NULL;
-+	if(handler->eap_ds->request == NULL){
-+		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request);
-+		return 0;
- 	}
--    
--    memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength);
--
--	return packet;
--}
- 
--
--/*
-- *	Compose the portions of the reply packet specific to the
-- *	EAP-TNC protocol, in the EAP reply typedata
-- */
--int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply)
--{
--	uint8_t *ptr;
--
--
--	if (reply->code < 3) {
--		//fill: EAP-Type (0x888e)
--		eap_ds->request->type.type = PW_EAP_TNC;
--        DEBUG2("TYPE: EAP-TNC set\n");
--		rad_assert(reply->length > 0);
--		
--		//alloc enough space for whole TNC-Packet (from Code on)
--		eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*));
--        DEBUG2("Malloc %d bytes for packet\n", reply->length);
--		if (eap_ds->request->type.data == NULL) {
--			radlog(L_ERR, "rlm_eap_tnc: out of memory");
--			return 0;
--		}
--		//put pointer at position where data starts (behind Type)
--		ptr = eap_ds->request->type.data;
--		//*ptr = (uint8_t)(reply->data_length & 0xFF);
--
--		//ptr++;
--		*ptr = reply->flags_ver;
--        DEBUG2("Set Flags/Version: %d\n", *ptr);
--		if(reply->data_length!=0){
--            DEBUG2("Set data-length: %d\n", reply->data_length);
--			ptr++; //move to start-position of "data_length"
--            DEBUG2("Set data-length: %x\n", reply->data_length);
--            DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length));
--            unsigned long swappedDataLength = ByteSwap2(reply->data_length);
--            //DEBUG2("DATA-length: %d", reply->data_
--            memcpy(ptr, &swappedDataLength, 4);
--			//*ptr = swappedDataLength;
--		}
--		uint16_t thisDataLength=0;
--		if(reply->data!=NULL){
--            DEBUG2("Adding TNCCS-Data ");
--			int offset;
--			//if data_length-Field present
--			if(reply->data_length !=0){
--                DEBUG2("with Fragmentation\n");
--				offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4
--				thisDataLength = reply->length-TNC_PACKET_LENGTH;
--			}else{ //data_length-Field not present
--                DEBUG2("without Fragmentation\n");
--				offset = 1;
--				thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
--			}
--            DEBUG2("TNCCS-Datalength: %d\n", thisDataLength);
--			ptr=ptr+offset; //move to start-position of "data"
--			memcpy(ptr,reply->data, thisDataLength);
--		}else{
--            DEBUG2("No TNCCS-Data present");
--        }
--
--		//the length of the TNC-packet (behind Type)
--        if(reply->data_length!=0){
--    		eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver
--        }else{
--            eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver
--        }
--        DEBUG2("Packet built\n");
--
--	} else {
--		eap_ds->request->type.length = 0;
--	}
--	eap_ds->request->code = reply->code;
-+	// fill EAP data to handler
-+	handler->eap_ds->request->code = code;
-+	handler->eap_ds->request->type.type = PW_EAP_TNC;
-+	// fill EAP TYPE specific data to handler
-+	handler->eap_ds->request->type.length = length;
-+	free(handler->eap_ds->request->type.data);
-+	handler->eap_ds->request->type.data = request;
- 
- 	return 1;
- }
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-12-04 19:38:00.241420966 +0100
-@@ -1,10 +1,10 @@
- /*
-- *   This software is Copyright (C) 2006,2007 FH Hannover
-+ *   This software is Copyright (C) 2006-2009 FH Hannover
-  *
-  *   Portions of this code unrelated to FreeRADIUS are available
-  *   separately under a commercial license.  If you require an
-  *   implementation of EAP-TNC that is not under the GPLv2, please
-- *   contact tnc@inform.fh-hannover.de for details.
-+ *   contact trust@f4-i.fh-hannover.de for details.
-  *
-  *   This program is free software; you can redistribute it and/or modify
-  *   it under the terms of the GNU General Public License as published by
-@@ -26,105 +26,20 @@
- #define _EAP_TNC_H
- 
- #include "eap.h"
-+#include <naaeap/naaeap.h>
- 
--#define PW_TNC_REQUEST	1
--#define PW_TNC_RESPONSE		2
--#define PW_TNC_SUCCESS		3
--#define PW_TNC_FAILURE		4
--#define PW_TNC_MAX_CODES	4
--
--#define TNC_HEADER_LEN 		4
--#define TNC_CHALLENGE_LEN 	16
--#define TNC_START_LEN 	8
--
--#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6
--#define TNC_PACKET_LENGTH 10
--#define TNC_DATA_LENGTH_LENGTH 4
--#define TNC_FLAGS_VERSION_LENGTH 1
--
--typedef unsigned int VlanAccessMode;
--
--#define VLAN_ISOLATE 97
--#define VLAN_ACCESS 2
--/*
-- ****
-- * EAP - MD5 doesnot specify code, id & length but chap specifies them,
-- *	for generalization purpose, complete header should be sent
-- *	and not just value_size, value and name.
-- *	future implementation.
-- *
-- *	Huh? What does that mean?
-- */
-+#define SET_START(x) 		((x) | (0x20))
- 
--/*
-+/**
-+ * Composes the EAP packet.
-  *
-- *  MD5 Packet Format in EAP Type-Data
-- *  --- ------ ------ -- --- ---------
-- *  0                   1                   2                   3
-- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |  Value-Size   |  Value ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |  Name ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- *
-- * EAP-TNC Packet Format in EAP Type-Data
-- * 
-- *  0                   1                   2                   3
-- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |  Flags  |Ver  | Data Length ...                                   
-- * |L M S R R|=1   |                                               
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |...            |  Data ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- 
-+ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate
-+ * @param request The EAP_TNC packet received from NAA-TNCS
-+ * @param length The length of the EAP_TNC packet received from NAA-TNCS
-+ * @param code EAP_CODE for the request
-  *
-+ * @return True if operation was successful, otherwise false.
-  */
--
--/* eap packet structure */
--typedef struct tnc_packet_t {
--/*
--	uint8_t	code;
--	uint8_t	id;
--	uint16_t	length;
--*/
--	uint8_t	flags_ver;
--	uint32_t data_length;
--	uint8_t *data;
--} tnc_packet_t;
--
--typedef struct tnc_packet {
--	uint8_t		code;
--	uint8_t		id;
--	uint16_t	length;
--	uint8_t	flags_ver;
--	uint32_t data_length;
--	uint8_t *data;
--} TNC_PACKET;
--
--#define TNC_START(x) 		(((x) & 0x20) != 0)
--#define TNC_MORE_FRAGMENTS(x) 	(((x) & 0x40) != 0)
--#define TNC_LENGTH_INCLUDED(x) 	(((x) & 0x80) != 0)
--#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0)
--#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1)
--
--#define SET_START(x) 		((x) | (0x20))
--#define SET_MORE_FRAGMENTS(x) 	((x) | (0x40))
--#define SET_LENGTH_INCLUDED(x) 	((x) | (0x80))
--
--
--/* function declarations here */
--
--TNC_PACKET 	*eaptnc_alloc(void);
--void 		eaptnc_free(TNC_PACKET **tnc_packet_ptr);
--
--int 		eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply);
--TNC_PACKET 	*eaptnc_extract(EAP_DS *auth);
--int 		eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch);
--
--
--
--
-+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code);
- 
- #endif /*_EAP_TNC_H*/
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-12-04 19:38:49.277421870 +0100
-@@ -3,8 +3,8 @@
- #
- 
- TARGET      = @targetname@
--SRCS        = rlm_eap_tnc.c eap_tnc.c tncs_connect.c 
--HEADERS     = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h
-+SRCS        = rlm_eap_tnc.c eap_tnc.c
-+HEADERS     = eap_tnc.h ../../eap.h ../../rlm_eap.h
- RLM_CFLAGS  = -I../.. -I../../libeap @eap_tnc_cflags@
- RLM_LIBS    = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la
- RLM_INSTALL =
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
-@@ -1,12 +1,12 @@
- /*
-  * rlm_eap_tnc.c    Handles that are called from eap
-  *
-- *   This software is Copyright (C) 2006,2007 FH Hannover
-+ *   This software is Copyright (C) 2006-2009 FH Hannover
-  *
-  *   Portions of this code unrelated to FreeRADIUS are available
-  *   separately under a commercial license.  If you require an
-  *   implementation of EAP-TNC that is not under the GPLv2, please
-- *   contact tnc@inform.fh-hannover.de for details.
-+ *   contact trust@f4-i.fh-hannover.de for details.
-  *
-  *   This program is free software; you can redistribute it and/or modify
-  *   it under the terms of the GNU General Public License as published by
-@@ -26,96 +26,262 @@
-  *   Copyright (C) 2007 Alan DeKok <aland@deployingradius.com>
-  */
- 
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 985ac01f384110b9a46ec8e84592351c21b3f09a $")
-+/*
-+ * EAP-TNC Packet with EAP Header, general structure
-+ *
-+ *  0                   1                   2                   3
-+ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * |      Code     |   Identifier  |            Length             |
-+ * |               |               |                               |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * |      Type     |  Flags  | Ver |          Data Length          |
-+ * |               |L M S R R| =1  |                               |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * |          Data Length          |           Data ...
-+ * |                               |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ */
- 
- #include <freeradius-devel/autoconf.h>
- 
- #include <stdio.h>
- #include <stdlib.h>
- 
--#include "tncs_connect.h"
- #include "eap_tnc.h"
--#include "tncs.h"
-+#include <naaeap/naaeap.h>
- #include <freeradius-devel/rad_assert.h>
-+//#include <freeradius-devel/libradius.h>
- 
--typedef struct rlm_eap_tnc_t {
--	char	*vlan_access;
--	char	*vlan_isolate;
--	char	*tnc_path;
--} rlm_eap_tnc_t;
-+#include <netinet/in.h>
- 
--static int sessionCounter=0;
-+/**
-+ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type.
-+ * The maximum length of the calculated string is 70 (not including the trailing '\0').
-+ *
-+ * @return the number of bytes written to out (not including the trailing '\0')
-+ */
-+static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength)
-+{
-+	VALUE_PAIR *vp = NULL;
-+	uint32_t nas_port = 0;
-+	uint32_t nas_ip = 0;
-+	uint32_t nas_port_type = 0;
-+
-+	char out_nas_port[11];
-+	char out_nas_ip_byte_0[4];
-+	char out_nas_ip_byte_1[4];
-+	char out_nas_ip_byte_2[4];
-+	char out_nas_ip_byte_3[4];
-+	char out_nas_port_type[11];
-+
-+    // check for NULL
-+	if (radius_packet == NULL) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!");
-+		return 0;
-+	}
-+
-+	// read NAS port, ip and port type
-+	for (vp = radius_packet->vps; vp; vp=vp->next) {
-+		switch (vp->attribute) {
-+		case PW_NAS_PORT:
-+			nas_port = vp->vp_integer;
-+			DEBUG("NAS scr port = %u\n", nas_port);
-+			break;
-+		case PW_NAS_IP_ADDRESS:
-+			nas_ip = vp->vp_ipaddr;
-+			DEBUG("NAS scr ip = %X\n", ntohl(nas_ip));
-+			break;
-+		case PW_NAS_PORT_TYPE:
-+			nas_port_type = vp->vp_integer;
-+			DEBUG("NAS scr port type = %u\n", nas_port_type);
-+			break;
-+		}
-+	}
-+
-+	snprintf(out_nas_port, 11, "%u", nas_port);
-+	snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF);
-+	snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF);
-+	snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF);
-+	snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF);
-+	snprintf(out_nas_port_type, 11, "%u", nas_port_type);
-+
-+	return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type);
-+}
-+
-+/*
-+ * This function is called when the FreeRADIUS attach this module.
-+ */
-+static int tnc_attach(CONF_SECTION *conf, void **type_data)
-+{
-+    // initialize NAA-EAP
-+	DEBUG2("TNC-ATTACH initializing NAA-EAP");
-+	TNC_Result result = initializeDefault();
-+	if (result != TNC_RESULT_SUCCESS) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()");
-+		return -1;
-+	}
-+	return 0;
-+}
-+
-+/*
-+ * This function is called when the FreeRADIUS detach this module.
-+ */
-+static int tnc_detach(void *args)
-+{
-+    // terminate NAA-EAP
-+	DEBUG2("TNC-TERMINATE terminating NAA-EAP");
-+	TNC_Result result = terminate();
-+	if (result != TNC_RESULT_SUCCESS) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()");
-+		return -1;
-+	}
-+	return 0;
-+}
- 
- /*
-- *	Initiate the EAP-MD5 session by sending a challenge to the peer.
-- *  Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set 
-- *  and with no data
-+ * This function is called when the first EAP_IDENTITY_RESPONSE message
-+ * was received.
-+ *
-+ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE
-+ * to the peer. The packet has the Start-Bit set and contains no data.
-+ *
-+ *  0                   1                   2                   3
-+ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * |      Code     |   Identifier  |            Length             |
-+ * |               |               |                               |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * |      Type     |  Flags  | Ver |
-+ * |               |0 0 1 0 0|0 0 1|
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ *
-+ * For this package, only 'Identifier' has to be set dynamically. Any
-+ * other information is static.
-  */
- static int tnc_initiate(void *type_data, EAP_HANDLER *handler)
- {
--	uint8_t flags_ver = 1; //set version to 1
--	rlm_eap_tnc_t *inst = type_data;
--	TNC_PACKET *reply;
-+	size_t buflen = 71;
-+	size_t ret = 0;
-+	char buf[buflen];
-+	REQUEST * request = NULL;
-+	TNC_Result result;
-+	TNC_ConnectionID conID;
-+	TNC_BufferReference username;
- 
-+	// check if we run inside a secure EAP method.
-+	// FIXME check concrete outer EAP method
- 	if (!handler->request || !handler->request->parent) {
--		DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method.");
-+		DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method.");
-+		request = handler->request;
- 		return 0;
-+	} else {
-+		request = handler->request->parent;
- 	}
- 
--	/*
--	 *	FIXME: Update this when the TTLS and PEAP methods can
--	 *	run EAP-TLC *after* the user has been authenticated.
--	 *	This likely means moving the phase2 handlers to a
--	 *	common code base.
--	 */
--	if (1) {
--		DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated.");
-+	if (request->packet == NULL) {
-+		DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL.");
- 		return 0;
- 	}
- 
- 	DEBUG("tnc_initiate: %ld", handler->timestamp);
- 
--	if(connectToTncs(inst->tnc_path)==-1){
--		DEBUG("Could not connect to TNCS");
-+	//calculate connectionString
-+	ret = calculateConnectionString(request->packet, buf, buflen);
-+	if(ret == 0){
-+		radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed.");
-+		return 0;
- 	}
- 
-+	DEBUG2("TNC-INITIATE getting connection from NAA-EAP");
-+
- 	/*
--	 *	Allocate an EAP-MD5 packet.
-+	 * get connection
-+	 * (uses a function from the NAA-EAP-library)
-+	 * the presence of the library is checked via the configure-script
- 	 */
--	reply = eaptnc_alloc();
--	if (reply == NULL)  {
--		radlog(L_ERR, "rlm_eap_tnc: out of memory");
-+	result = getConnection(buf, &conID);
-+
-+	// check for errors
-+	if (result != TNC_RESULT_SUCCESS) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection");
- 		return 0;
- 	}
- 
- 	/*
--	 *	Fill it with data.
-+	 * tries to get the username from FreeRADIUS;
-+	 * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c
- 	 */
--	reply->code = PW_TNC_REQUEST;
--	flags_ver = SET_START(flags_ver); //set start-flag
--	DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver);
--	reply->flags_ver = flags_ver;
--	reply->length = 1+1; /* one byte of flags_ver */
-+	VALUE_PAIR *usernameValuePair;
-+	usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME);
- 
-+	VALUE_PAIR *eapMessageValuePair;
-+	if (!usernameValuePair) {
-+		eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE);
-+
-+		if (eapMessageValuePair &&
-+			(eapMessageValuePair->length >= EAP_HEADER_LEN + 2) &&
-+			(eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) &&
-+			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
-+			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
-+
-+			/*
-+			 *	Create & remember a User-Name
-+			 */
-+			usernameValuePair = pairmake("User-Name", "", T_OP_EQ);
-+			rad_assert(usernameValuePair != NULL);
-+
-+			memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5,
-+					eapMessageValuePair->length - 5);
-+			usernameValuePair->length = eapMessageValuePair->length - 5;
-+			usernameValuePair->vp_strvalue[usernameValuePair->length] = 0;
-+		}
-+	}
-+
-+	username = malloc(usernameValuePair->length + 1);
-+	memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length);
-+	username[usernameValuePair->length] = '\0';
-+
-+	RDEBUG("Username for current TNC connection: %s", username);
-+
-+	/*
-+	 * stores the username of this connection
-+	 * (uses a function from the NAA-EAP-library)
-+	 * the presence of the library is checked via the configure-script
-+	 */
-+	result = storeUsername(conID, username, usernameValuePair->length);
-+
-+	// check for errors
-+	if (result != TNC_RESULT_SUCCESS) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername");
-+		return 0;
-+	}
-+
-+	// set connection ID in FreeRADIUS
-+	handler->opaque = malloc(sizeof(TNC_ConnectionID));
-+	memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID));
-+
-+	// build first EAP TNC request
-+	TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char));
-+	if (eap_tnc_request == NULL) {
-+		radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed.");
-+		return 0;
-+	}
-+	*eap_tnc_request = SET_START(1);
-+	TNC_UInt32 eap_tnc_length = 1;
-+	type_data = type_data; /* suppress -Wunused */
- 
- 	/*
- 	 *	Compose the EAP-TNC packet out of the data structure,
- 	 *	and free it.
- 	 */
--	eaptnc_compose(handler->eap_ds, reply);
--	eaptnc_free(&reply);
-+	eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST);
- 
--    //put sessionAttribute to Handler and increase sessionCounter
--    handler->opaque = calloc(sizeof(TNC_ConnectionID), 1);
--    if (handler->opaque == NULL)  {
--	radlog(L_ERR, "rlm_eap_tnc: out of memory");
--	return 0;
--    }
--    handler->free_opaque = free;
--    memcpy(handler->opaque, &sessionCounter, sizeof(int));
--    sessionCounter++;
--    
- 	/*
- 	 *	We don't need to authorize the user at this point.
- 	 *
-@@ -124,246 +290,114 @@
- 	 *	to us...
- 	 */
- 	handler->stage = AUTHENTICATE;
--    
--	return 1;
--}
- 
--static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler,
--			     VlanAccessMode mode){
--	VALUE_PAIR *vp;
--    char *vlanNumber = NULL;
--    switch(mode){
--        case VLAN_ISOLATE:
--            vlanNumber = inst->vlan_isolate;
--	    vp = pairfind(handler->request->config_items,
--			  PW_TNC_VLAN_ISOLATE);
--	    if (vp) vlanNumber = vp->vp_strvalue;
--            break;
--        case VLAN_ACCESS:
--            vlanNumber = inst->vlan_access;
--	    vp = pairfind(handler->request->config_items,
--			  PW_TNC_VLAN_ACCESS);
--	    if (vp) vlanNumber = vp->vp_strvalue;
--            break;
--
--    default:
--	    DEBUG2("  rlm_eap_tnc: Internal error.  Not setting vlan number");
--	    return;
--    }
--    pairadd(&handler->request->reply->vps,
--	    pairmake("Tunnel-Type", "VLAN", T_OP_SET));
--    
--    pairadd(&handler->request->reply->vps,
--	    pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET));
--    
--    pairadd(&handler->request->reply->vps,
--	    pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET));
--    
-+	return 1;
- }
- 
--/*
-- *	Authenticate a previously sent challenge.
-+/**
-+ * This function is called when a EAP_TNC_RESPONSE was received.
-+ * It basically forwards the EAP_TNC data to NAA-TNCS and forms
-+ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID
-+ * based on the TNC_ConnectionState determined by NAA-TNCS.
-+ *
-+ * @param type_arg The configuration data
-+ * @param handler The EAP_HANDLER
-+ * @return True, if successfully, else false.
-  */
--static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler)
--{
--    TNC_PACKET	*packet;
--    TNC_PACKET	*reply;
--    TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque));
--    TNC_ConnectionState state;
--    rlm_eap_tnc_t *inst = type_arg;
--    int isAcknowledgement = 0;
--    TNC_UInt32 tnccsMsgLength = 0;
--    int isLengthIncluded;
--    int moreFragments;
--    TNC_UInt32 overallLength;
--    TNC_BufferReference outMessage;
--    TNC_UInt32 outMessageLength = 2;
--    int outIsLengthIncluded=0;
--    int outMoreFragments=0;
--    TNC_UInt32 outOverallLength=0;
-+static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) {
- 
--    DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque)));
--    DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId);
-+	rad_assert(handler->request != NULL); // check that request has been sent previously
-+	rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called
- 
--	/*
--	 *	Get the User-Password for this user.
--	 */
--    rad_assert(handler->request != NULL);
--	rad_assert(handler->stage == AUTHENTICATE);
--    
--	/*
--	 *	Extract the EAP-TNC packet.
--	 */
--    if (!(packet = eaptnc_extract(handler->eap_ds)))
-+	if (handler == NULL) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL");
- 		return 0;
-+	}
-+	if (handler->eap_ds == NULL) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL");
-+		return 0;
-+	}
-+	if (handler->eap_ds->response == NULL) {
-+		radlog(
-+				L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL");
-+		return 0;
-+	}
-+	if (handler->eap_ds->response->type.type != PW_EAP_TNC
-+			|| handler->eap_ds->response->type.length < 1
-+			|| handler->eap_ds->response->type.data == NULL) {
-+		radlog(
-+				L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p",
-+				handler->eap_ds->response->type.type,
-+				handler->eap_ds->response->type.length,
-+				handler->eap_ds->response->type.data);
-+		return 0;
-+	}
- 
--	/*
--	 *	Create a reply, and initialize it.
--	 */
--	reply = eaptnc_alloc();
--	if (!reply) {
--		eaptnc_free(&packet);
--		return 0;
--	}
--    
--	reply->id = handler->eap_ds->request->id;
--	reply->length = 0;
--    if(packet->data_length==0){
--        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
--    }else{
--        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH;
--    }
--    isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver);
--    moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver);
--    overallLength = packet->data_length;
--    if(isLengthIncluded == 0 
--        && moreFragments == 0 
--        && overallLength == 0 
--        && tnccsMsgLength == 0
--        && TNC_START(packet->flags_ver)==0){
--        
--        isAcknowledgement = 1;
--    }
--    
--    DEBUG("Data received: (%d)", (int) tnccsMsgLength);
--/*    int i;
--    for(i=0;i<tnccsMsgLength;i++){
--        DEBUG2("%c", (packet->data)[i]);
--    }
--    DEBUG2("\n");
--   */
--    state = exchangeTNCCSMessages(inst->tnc_path,
--                                  connId,
--                                  isAcknowledgement,
--                                  packet->data, 
--                                  tnccsMsgLength, 
--                                  isLengthIncluded, 
--                                  moreFragments, 
--                                  overallLength, 
--                                  &outMessage, 
--                                  &outMessageLength,
--                                  &outIsLengthIncluded,
--                                  &outMoreFragments,
--                                  &outOverallLength);
--    DEBUG("GOT State %08x from TNCS", (unsigned int) state);
--    if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement
--        reply->code = PW_TNC_REQUEST;
--        reply->data = NULL;
--        reply->data_length = 0;
--        reply->flags_ver = 1;
--        reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; 
--    }else{ //send back normal message
--        DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength);
--        
-- /*       for(i=0;i<outMessageLength;i++){
--            DEBUG2("%c", outMessage[i]);
--        }
--        DEBUG2("\n");
-- */
--        DEBUG("outIsLengthIncluded: %d, outMoreFragments: %d, outOverallLength: %d", 
--                outIsLengthIncluded, outMoreFragments, (int) outOverallLength);
--        DEBUG("NEW STATE: %08x", (unsigned int) state);
--        switch(state){
--            case TNC_CONNECTION_STATE_HANDSHAKE:
--                reply->code = PW_TNC_REQUEST;
--                DEBUG2("Set Reply->Code to EAP-REQUEST\n");
--                break;
--            case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
--                reply->code = PW_TNC_SUCCESS;
--                setVlanAttribute(inst, handler,VLAN_ACCESS);
--                break;
--            case TNC_CONNECTION_STATE_ACCESS_NONE:
--                reply->code = PW_TNC_FAILURE;
--                //setVlanAttribute(inst, handler, VLAN_ISOLATE);
--                break;
--            case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
--                reply->code = PW_TNC_SUCCESS;
--                setVlanAttribute(inst, handler, VLAN_ISOLATE);
--                break;
--            default:
--                reply->code= PW_TNC_FAILURE;
--                
--        }
--        if(outMessage!=NULL && outMessageLength!=0){
--            reply->data = outMessage;
--        }
--        reply->flags_ver = 1;
--        if(outIsLengthIncluded){
--            reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver);
--            reply->data_length = outOverallLength;
--            reply->length = TNC_PACKET_LENGTH + outMessageLength;
--            DEBUG("SET LENGTH: %d", reply->length);
--            DEBUG("SET DATALENGTH: %d", (int) outOverallLength);
--        }else{
--            reply->data_length = 0;
--            reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength;        
--            DEBUG("SET LENGTH: %d", reply->length);
--        }
--        if(outMoreFragments){
--            reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver);
--        }
--    }
--    
--	/*
--	 *	Compose the EAP-MD5 packet out of the data structure,
--	 *	and free it.
--	 */
--	eaptnc_compose(handler->eap_ds, reply);
--    	eaptnc_free(&reply);
--
--    handler->stage = AUTHENTICATE;
--    
--	eaptnc_free(&packet);
--	return 1;
--}
--
--/*
-- *	Detach the EAP-TNC module.
-- */
--static int tnc_detach(void *arg)
--{
--	free(arg);
--	return 0;
--}
--
--
--static CONF_PARSER module_config[] = {
--	{ "vlan_access", PW_TYPE_STRING_PTR,
--	  offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL },
--	{ "vlan_isolate", PW_TYPE_STRING_PTR,
--	  offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL },
--	{ "tnc_path", PW_TYPE_STRING_PTR,
--	  offsetof(rlm_eap_tnc_t, tnc_path), NULL,
--	"/usr/local/lib/libTNCS.so"},
-+	// get connection ID
-+	TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque));
- 
-- 	{ NULL, -1, 0, NULL, NULL }           /* end the list */
--};
-+	DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID);
- 
--/*
-- *	Attach the EAP-TNC module.
-- */
--static int tnc_attach(CONF_SECTION *cs, void **instance)
--{
--	rlm_eap_tnc_t *inst;
-+	// pass EAP_TNC data to NAA-EAP and get answer data
-+	TNC_BufferReference output = NULL;
-+	TNC_UInt32 outputLength = 0;
-+	TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE;
- 
--	inst = malloc(sizeof(*inst));
--	if (!inst) return -1;
--	memset(inst, 0, sizeof(*inst));
-+	/*
-+	 * forwards the eap_tnc data to NAA-EAP and gets the response
-+	 * (uses a function from the NAA-EAP-library)
-+	 * the presence of the library is checked via the configure-script
-+	 */
-+	TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data,
-+			handler->eap_ds->response->type.length, &output, &outputLength,
-+			&connectionState);
-+
-+	// check for errors
-+	if (result != TNC_RESULT_SUCCESS) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData");
-+		return 0;
-+	}
- 
--	if (cf_section_parse(cs, inst, module_config) < 0) {
--		tnc_detach(inst);
--		return -1;
-+	// output contains now the answer from NAA-EAP
-+	uint8_t eapCode = 0;
-+	// determine eapCode for request
-+	switch (connectionState) {
-+	case TNC_CONNECTION_STATE_HANDSHAKE:
-+		eapCode = PW_EAP_REQUEST;
-+		break;
-+	case TNC_CONNECTION_STATE_ACCESS_NONE:
-+		eapCode = PW_EAP_FAILURE;
-+		break;
-+	case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
-+		eapCode = PW_EAP_SUCCESS;
-+		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET));
-+		break;
-+	case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
-+		eapCode = PW_EAP_SUCCESS;
-+		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET));
-+		break;
-+	default:
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE.");
-+		return 0;
- 	}
- 
--	
--	if (!inst->vlan_access || !inst->vlan_isolate) {
--		radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate");
--		tnc_detach(inst);
--		return -1;
-+	// form EAP_REQUEST
-+	if (!eaptnc_compose(handler, output, outputLength, eapCode)) {
-+		radlog(L_ERR,
-+				"rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST.");
-+		return 0;
- 	}
- 
--	*instance = inst;
--	return 0;
-+	// FIXME: Why is that needed?
-+	handler->stage = AUTHENTICATE;
-+
-+	return 1;
- }
- 
- /*
-@@ -371,10 +405,10 @@
-  *	That is, everything else should be 'static'.
-  */
- EAP_TYPE rlm_eap_tnc = {
--	"eap_tnc",
--	tnc_attach,			/* attach */
--	tnc_initiate,			/* Start the initial request */
--	NULL,				/* authorization */
--	tnc_authenticate,		/* authentication */
--	tnc_detach		      	/* detach */
-+		"eap_tnc",
-+		tnc_attach, /* attach */
-+		tnc_initiate, /* Start the initial request */
-+		NULL, /* authorization */
-+		tnc_authenticate, /* authentication */
-+		tnc_detach /* detach */
- };
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	1970-01-01 01:00:00.000000000 +0100
-@@ -1,146 +0,0 @@
--/*
-- *   This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- *   Portions of this code unrelated to FreeRADIUS are available
-- *   separately under a commercial license.  If you require an
-- *   implementation of EAP-TNC that is not under the GPLv2, please
-- *   contact tnc@inform.fh-hannover.de for details.
-- *
-- *   This program is free software; you can redistribute it and/or modify
-- *   it under the terms of the GNU General Public License as published by
-- *   the Free Software Foundation; either version 2 of the License, or
-- *   (at your option) any later version.
-- *
-- *   This program is distributed in the hope that it will be useful,
-- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
-- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- *   GNU General Public License for more details.
-- *
-- *   You should have received a copy of the GNU General Public License
-- *   along with this program; if not, write to the Free Software
-- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 6077f6d2bdc2ebdea6575678e80e255f57215900 $")
--
--#include "tncs_connect.h"
--#include <ltdl.h>
--#include <stdlib.h>
--#include <stdio.h>
--#include <eap.h>
--
--     /*
--      *	FIXME: This linking should really be done at compile time.
--      */
--static lt_dlhandle handle = NULL;
--
--static ExchangeTNCCSMessagePointer callTNCS = NULL;
--
--/*
-- * returns the function-pointer to a function of a shared-object
-- * 
-- * soHandle: handle to a shared-object
-- * name: name of the requested function
-- * 
-- * return: the procAddress if found, else NULL
-- */
--static void *getProcAddress(lt_dlhandle soHandle, const char *name){
--	void *proc = lt_dlsym(soHandle, name);
--	DEBUG("Searching for function %s", name);
--	if(proc == NULL){
--		DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s",
--		      name, lt_dlerror());
--	}
--	return proc;
--}
--
--
--/*
-- * establishs the connection to the TNCCS without calling functionality.
-- * That means that the TNCS-shared-object is loaded and the function-pointer
-- * to "exchangeTNCCSMessages" is explored.
-- * 
-- * return: -1 if connect failed, 0 if connect was successful
-- */
--int connectToTncs(char *pathToSO){
--	int state = -1;
--	if(handle==NULL){
--		handle = lt_dlopen(pathToSO);
--		DEBUG("OPENED HANDLE!");
--	}
--	
--	if(handle==NULL){
--		DEBUG("HANDLE IS NULL");
--        DEBUG("rlm_eap_tnc: Failed to link to library %s: %s",
--	      pathToSO, lt_dlerror());
--	}else{
--		DEBUG("SO %s found!", pathToSO);
--		if(callTNCS==NULL){
--			callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages");
--		}
--		if(callTNCS!=NULL){
--			DEBUG("TNCS is connected");
--			state = 0;
--//			int ret = callTNCS2(2, "Bla", NULL);
--	//		DEBUG("GOT %d from exchangeTNCCSMessages", ret);
--		}else{
--			DEBUG("Could not find exchangeTNCCSMessages");
--		}
--
--	}
--	return state;	
--}
--
--/*
-- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
-- * -pathToSO: Path to TNCCS-Shared Object 
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- * 
-- * return: state of connection as result of the exchange
-- */
--TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
--                                          /*in*/ TNC_ConnectionID connId, 
--                                          /*in*/ int isAcknoledgement,
--					  /*in*/ TNC_BufferReference input, 
--                                          /*in*/ TNC_UInt32 inputLength,
--                                          /*in*/ int isFirst, 
--                                          /*in*/ int moreFragments,
--                                          /*in*/ TNC_UInt32 overallLength,
--					  /*out*/ TNC_BufferReference *output,
--                                          /*out*/ TNC_UInt32 *outputLength,
--                                          /*out*/ int *answerIsFirst,
--                                          /*out*/ int *moreFragmentsFollow,
--                                          /*out*/ TNC_UInt32 *overallLengthOut){
--	TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
--	int connectStatus = connectToTncs(pathToSO);
--    if(connectStatus!=-1){
--		state = callTNCS(connId,
--                            isAcknoledgement,
--                            input,
--                            inputLength, 
--                            isFirst, 
--                            moreFragments, 
--                            overallLength, 
--                            output, 
--                            outputLength, 
--                            answerIsFirst, 
--                            moreFragmentsFollow, 
--                            overallLengthOut);
--        DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state);
--	}else{
--		DEBUG("CAN NOT CONNECT TO TNCS");
--	}
--	return state;
--}
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	1970-01-01 01:00:00.000000000 +0100
-@@ -1,70 +0,0 @@
--/*
-- *   This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- *   Portions of this code unrelated to FreeRADIUS are available
-- *   separately under a commercial license.  If you require an
-- *   implementation of EAP-TNC that is not under the GPLv2, please
-- *   contact tnc@inform.fh-hannover.de for details.
-- *
-- *   This program is free software; you can redistribute it and/or modify
-- *   it under the terms of the GNU General Public License as published by
-- *   the Free Software Foundation; either version 2 of the License, or
-- *   (at your option) any later version.
-- *
-- *   This program is distributed in the hope that it will be useful,
-- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
-- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- *   GNU General Public License for more details.
-- *
-- *   You should have received a copy of the GNU General Public License
-- *   along with this program; if not, write to the Free Software
-- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--
--#ifndef _TNCS_CONNECT_H_
--#define _TNCS_CONNECT_H_
--
--#include "tncs.h"
--
--/*
-- * establishs the connection to the TNCCS without calling functionality.
-- * That means that the TNCS-shared-object is loaded and the function-pointer
-- * to "exchangeTNCCSMessages" is explored.
-- * 
-- * return: -1 if connect failed, 0 if connect was successful
-- */
--int connectToTncs(char *pathToSO);
--/*
-- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
-- * -pathToSO: Path to TNCCS-Shared Object
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation) 
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- * 
-- * return: state of connection as result of the exchange
-- */
--TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
--                                          /*in*/ TNC_ConnectionID connId, 
--                                          /*in*/ int isAcknoledgement, 
--                                          /*in*/ TNC_BufferReference input, 
--                                          /*in*/ TNC_UInt32 inputLength,
--                                          /*in*/ int isFirst,
--                                          /*in*/ int moreFragments,
--                                          /*in*/ TNC_UInt32 overallLength,
--                                          /*out*/ TNC_BufferReference *output,
--                                          /*out*/ TNC_UInt32 *outputLength,
--                                          /*out*/ int *answerIsFirst,
--                                          /*out*/ int *moreFragmentsFollow,
--                                          /*out*/ TNC_UInt32 *overallLengthOut);
--
--#endif //_TNCS_CONNECT_H_
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	1970-01-01 01:00:00.000000000 +0100
-@@ -1,86 +0,0 @@
--/*
-- *   This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- *   Portions of this code unrelated to FreeRADIUS are available
-- *   separately under a commercial license.  If you require an
-- *   implementation of EAP-TNC that is not under the GPLv2, please
-- *   contact tnc@inform.fh-hannover.de for details.
-- *
-- *   This program is free software; you can redistribute it and/or modify
-- *   it under the terms of the GNU General Public License as published by
-- *   the Free Software Foundation; either version 2 of the License, or
-- *   (at your option) any later version.
-- *
-- *   This program is distributed in the hope that it will be useful,
-- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
-- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- *   GNU General Public License for more details.
-- *
-- *   You should have received a copy of the GNU General Public License
-- *   along with this program; if not, write to the Free Software
-- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--
--#ifndef _TNCS_H_
--#define _TNCS_H_
--
--
--
--#ifdef __cplusplus
--extern "C" {
--#endif 
--
--/*
-- * copied from tncimv.h:
-- */
--typedef unsigned long TNC_UInt32;
--typedef TNC_UInt32 TNC_ConnectionState;
--typedef unsigned char *TNC_BufferReference;
--typedef TNC_UInt32 TNC_ConnectionID;
--
--#define TNC_CONNECTION_STATE_CREATE 0
--#define TNC_CONNECTION_STATE_HANDSHAKE 1
--#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
--#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
--#define TNC_CONNECTION_STATE_ACCESS_NONE 4
--#define TNC_CONNECTION_STATE_DELETE 5
--#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6
--
--/*
-- * Accesspoint (as function-pointer) to the TNCS for sending and receiving 
-- * TNCCS-Messages.
-- * 
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation) 
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- * 
-- * return: state of connection as result of the exchange
-- */
--typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId, 
--                                          /*in*/ int isAcknoledgement, 
--                                          /*in*/ TNC_BufferReference input, 
--                                          /*in*/ TNC_UInt32 inputLength,
--                                          /*in*/ int isFirst,
--                                          /*in*/ int moreFragments,
--                                          /*in*/ TNC_UInt32 overallLength,
--                                          /*out*/ TNC_BufferReference *output,
--                                          /*out*/ TNC_UInt32 *outputLength,
--                                          /*out*/ int *answerIsFirst,
--                                          /*out*/ int *moreFragmentsFollow,
--                                          /*out*/ TNC_UInt32 *overallLengthOut
--);
--
--#ifdef __cplusplus
--}
--#endif
--#endif //_TNCS_H_
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-12-04 19:39:54.749423138 +0100
-@@ -37,6 +37,10 @@
- 	int		copy_request_to_tunnel;
- 	int		use_tunneled_reply;
- 	const char	*virtual_server;
-+	const char	*tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
-+	VALUE_PAIR	*auth_reply;		// cache storage of the last reply of the first inner method
-+	int		auth_code;		// cache storage of the reply-code of the first inner method
-+	int		doing_tnc;		// status if we're doing EAP-TNC
- } ttls_tunnel_t;
- 
- /*
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-12-04 19:39:54.749423138 +0100
-@@ -62,6 +62,11 @@
- 	 *	Virtual server for inner tunnel session.
- 	 */
- 	char	*virtual_server;
-+
-+	/*
-+	 *	Virtual server for the second inner tunnel method, which is EAP-TNC.
-+	 */
-+	char	*tnc_virtual_server;
- } rlm_eap_ttls_t;
- 
- 
-@@ -78,6 +83,9 @@
- 	{ "virtual_server", PW_TYPE_STRING_PTR,
- 	  offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
- 
-+	{ "tnc_virtual_server", PW_TYPE_STRING_PTR,
-+	  offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL },
-+
- 	{ "include_length", PW_TYPE_BOOLEAN,
- 	  offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
- 
-@@ -171,6 +179,10 @@
- 	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
- 	t->use_tunneled_reply = inst->use_tunneled_reply;
- 	t->virtual_server = inst->virtual_server;
-+	t->tnc_virtual_server = inst->tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
-+	t->auth_reply = NULL;								// cache storage of the last reply of the first inner method
-+	t->auth_code = -1;									// cache storage of the reply-code of the first inner method
-+	t->doing_tnc = 0;									// status if we're doing EAP-TNC (on start we're doing NOT)
- 	return t;
- }
- 
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-12-04 19:39:54.749423138 +0100
-@@ -585,6 +585,94 @@
- }
- 
- /*
-+ *	Start EAP-TNC as a second inner method.
-+ *	Creates a new fake-request out of the original incoming request (via EAP_HANDLER).
-+ *	If it's the first time, we create a EAP-START-packet and send
-+ *	EAP-START :=	code = PW_EAP_REQUEST
-+ *
-+ */
-+static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) {
-+	REQUEST* request = handler->request;
-+	RDEBUG2("EAP-TNC as second inner authentication method starts now");
-+
-+	/*
-+	 *	Allocate a fake REQUEST struct,
-+	 *	to make a new request, based on the original request.
-+	 */
-+	REQUEST* fake = request_alloc_fake(request);
-+
-+	/*
-+	 * Set the virtual server to that of EAP-TNC.
-+	 */
-+	fake->server = t->tnc_virtual_server;
-+
-+	/*
-+	 * Build a new EAP-Message.
-+	 */
-+	VALUE_PAIR *eap_msg;
-+	eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
-+
-+	/*
-+	 * Set the EAP-Message to look like EAP-Start
-+	 */
-+	eap_msg->vp_octets[0] = PW_EAP_RESPONSE;
-+	eap_msg->vp_octets[1] = 0x00;
-+
-+	/*
-+	 * Only setting EAP-TNC here,
-+	 * because it is intended to do user-authentication in the first inner method,
-+	 * and then a hardware-authentication (like EAP-TNC) as the second method.
-+	 */
-+	eap_msg->vp_octets[4] = PW_EAP_TNC;
-+
-+	eap_msg->length = 0;
-+
-+	/*
-+	 * Add the EAP-Message to the request.
-+	 */
-+	pairadd(&(fake->packet->vps), eap_msg);
-+
-+	/*
-+	 * Process the new request by the virtual server configured for
-+	 * EAP-TNC.
-+	 */
-+	rad_authenticate(fake);
-+
-+	/*
-+	 * From now on we're doing EAP-TNC as the second inner authentication method.
-+	 */
-+	t->doing_tnc = TRUE;
-+
-+	return fake;
-+}
-+
-+/*
-+ * 	Stop EAP-TNC as a second inner method.
-+ *	Copy the value pairs from the cached Access-Accept of the first inner method
-+ *	to the Access-Accept/Reject package of EAP-TNC.
-+ */
-+static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) {
-+	RDEBUG2("EAP-TNC as second inner authentication method stops now");
-+
-+	/*
-+	 * Copy the value-pairs of the origina Access-Accept of the first
-+	 * inner authentication method to the Access-Accept/Reject of the
-+	 * second inner authentication method (EAP-TNC).
-+	 */
-+	if (request->reply->code == PW_AUTHENTICATION_ACK) {
-+		pairadd(&(request->reply->vps), t->auth_reply);
-+	} else if (request->reply->code == PW_AUTHENTICATION_REJECT) {
-+		pairadd(&(request->reply->vps), t->auth_reply);
-+	}
-+
-+	pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR);
-+	pairdelete(&(request->reply->vps), PW_PROXY_STATE);
-+	pairdelete(&(request->reply->vps), PW_USER_NAME);
-+
-+	return request;
-+}
-+
-+/*
-  *	Use a reply packet to determine what to do.
-  */
- static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
-@@ -1135,6 +1223,16 @@
- 
- 	} /* else fake->server == request->server */
- 
-+	/*
-+	 * If we're doing EAP-TNC as a second method,
-+	 * then set the server to that one.
-+	 * Then, rad_authenticate will run EAP-TNC,
-+	 * so that afterwards we have to look for the state of
-+	 * EAP-TNC.
-+	 */
-+	if (t->doing_tnc) {
-+		fake->server = t->tnc_virtual_server;
-+	}
- 
- 	if ((debug_flag > 0) && fr_log_fp) {
- 		RDEBUG("Sending tunneled request");
-@@ -1248,6 +1346,53 @@
- 
- 	default:
- 		/*
-+		 * If the result of the first method was an acknowledgment OR
-+		 * if were already running EAP-TNC,
-+		 * we're doing additional things before processing the reply.
-+		 * Also the configuration for EAP-TTLS has to contain a virtual server
-+		 * for EAP-TNC as the second method.
-+		 */
-+		if (t->tnc_virtual_server) {
-+			/*
-+			 * If the reply code of the first inner method is PW_AUTHENTICATION_ACK
-+			 * which means that the method was successful,
-+			 * and we're not doing EAP-TNC as the second method,
-+			 * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method.
-+			 */
-+			if (fake->reply->code == PW_AUTHENTICATION_ACK
-+				 && t->doing_tnc == FALSE) {
-+				RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code);
-+
-+				/*
-+				 * Save reply-value pairs and reply-code of the first method.
-+				 */
-+				t->auth_reply = fake->reply->vps;
-+				fake->reply->vps = NULL;
-+				t->auth_code = fake->reply->code;
-+
-+				/*
-+				 * Create the start package for EAP-TNC.
-+				 */
-+				fake = start_tnc(handler, t);
-+
-+				/*
-+				 * If we're doing EAP-TNC as the second inner method,
-+				 * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT,
-+				 * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject.
-+				 */
-+			} else if (t->doing_tnc == TRUE
-+					&& (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) {
-+
-+				/*
-+				 * Create the combined Access-Accept or -Reject.
-+				 */
-+				RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code,
-+						fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT");
-+				fake = stop_tnc(fake, t);
-+			}
-+		}
-+
-+		/*
- 		 *	Returns RLM_MODULE_FOO, and we want to return
- 		 *	PW_FOO
- 		 */
diff --git a/testing/scripts/recipes/patches/hostapd-config b/testing/scripts/recipes/patches/hostapd-config
deleted file mode 100644
index b26d2783f..000000000
--- a/testing/scripts/recipes/patches/hostapd-config
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -u -ur hostapd-2.0.orig/hostapd/defconfig hostapd-2.0/hostapd/defconfig
---- hostapd-2.0.orig/hostapd/defconfig	2013-01-12 16:42:53.000000000 +0100
-+++ hostapd-2.0/hostapd/defconfig	2016-06-15 17:32:57.000000000 +0200
-@@ -13,14 +13,14 @@
- CONFIG_DRIVER_HOSTAP=y
- 
- # Driver interface for wired authenticator
--#CONFIG_DRIVER_WIRED=y
-+CONFIG_DRIVER_WIRED=y
- 
- # Driver interface for madwifi driver
- #CONFIG_DRIVER_MADWIFI=y
- #CFLAGS += -I../../madwifi # change to the madwifi source directory
- 
- # Driver interface for drivers using the nl80211 kernel interface
--CONFIG_DRIVER_NL80211=y
-+#CONFIG_DRIVER_NL80211=y
- 
- # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
- #CONFIG_DRIVER_BSD=y
-@@ -30,7 +30,7 @@
- #LIBS_c += -L/usr/local/lib
- 
- # Driver interface for no driver (e.g., RADIUS server only)
--#CONFIG_DRIVER_NONE=y
-+CONFIG_DRIVER_NONE=y
- 
- # IEEE 802.11F/IAPP
- CONFIG_IAPP=y
-@@ -152,7 +152,7 @@
- 
- # Add support for writing debug log to a file: -f /tmp/hostapd.log
- # Disabled by default.
--#CONFIG_DEBUG_FILE=y
-+CONFIG_DEBUG_FILE=y
- 
- # Remove support for RADIUS accounting
- #CONFIG_NO_ACCOUNTING=y
\ No newline at end of file
diff --git a/testing/scripts/recipes/patches/tnc-fhh-tncsim b/testing/scripts/recipes/patches/tnc-fhh-tncsim
deleted file mode 100644
index 42c714480..000000000
--- a/testing/scripts/recipes/patches/tnc-fhh-tncsim
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fe65134512ea..3c5255f21ea6 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -101,7 +101,6 @@ IF(${COMPONENT} STREQUAL "ALL")
- 	add_subdirectory(tncxacml)
- 	add_subdirectory(imcv)
- 	add_subdirectory(tncs)
--	add_subdirectory(tncsim)
- 			
- 	IF(${NAL} STREQUAL "8021X" OR ${NAL} STREQUAL "ALL")
- 		add_subdirectory(naaeap)
diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
deleted file mode 100644
index 2e00e5b44..000000000
--- a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
+++ /dev/null
@@ -1,47 +0,0 @@
-diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c
---- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c	2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/src/eap_peer/tncc.c	2013-03-23 13:10:22.151059154 +0100
-@@ -465,7 +465,7 @@
- 		return -1;
- 	}
- #else /* CONFIG_NATIVE_WINDOWS */
--	imc->dlhandle = dlopen(imc->path, RTLD_LAZY);
-+	imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL);
- 	if (imc->dlhandle == NULL) {
- 		wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s",
- 			   imc->name, imc->path, dlerror());
-diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig
---- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig	2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/wpa_supplicant/defconfig	2013-03-23 13:06:08.759052370 +0100
-@@ -86,7 +86,7 @@
- CONFIG_DRIVER_WEXT=y
- 
- # Driver interface for Linux drivers using the nl80211 kernel interface
--CONFIG_DRIVER_NL80211=y
-+#CONFIG_DRIVER_NL80211=y
- 
- # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
- #CONFIG_DRIVER_BSD=y
-@@ -193,7 +193,7 @@
- #CONFIG_EAP_GPSK_SHA256=y
- 
- # EAP-TNC and related Trusted Network Connect support (experimental)
--#CONFIG_EAP_TNC=y
-+CONFIG_EAP_TNC=y
- 
- # Wi-Fi Protected Setup (WPS)
- #CONFIG_WPS=y
-diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile
---- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile	2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/wpa_supplicant/Makefile	2013-03-23 13:06:08.759052370 +0100
-@@ -6,8 +6,8 @@
- CFLAGS = -MMD -O2 -Wall -g
- endif
- 
--export LIBDIR ?= /usr/local/lib/
--export BINDIR ?= /usr/local/sbin/
-+export LIBDIR ?= /usr/lib/
-+export BINDIR ?= /usr/sbin/
- PKG_CONFIG ?= pkg-config
- 
- CFLAGS += -I../src
diff --git a/testing/testing.conf b/testing/testing.conf
index 92b9693c1..7d8480c1f 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,18 +24,14 @@ fi
 : ${TESTDIR=/srv/strongswan-testing}
 
 # Kernel configuration
-<<<<<<< Updated upstream
-: ${KERNELVERSION=4.18.9}
-=======
-: ${KERNELVERSION=4.15.9}
->>>>>>> Stashed changes
+: ${KERNELVERSION=4.20}
 : ${KERNEL=linux-$KERNELVERSION}
 : ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-4.15}
-: ${KERNELPATCH=ha-4.15.6-abicompat.patch.bz2}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-4.19}
+: ${KERNELPATCH=ha-4.16-abicompat.patch.bz2}
 
 # strongSwan version used in tests
-: ${SWANVERSION=5.7.0}
+: ${SWANVERSION=5.7.2}
 
 # Build directory where the guest kernel and images will be built
 : ${BUILDDIR=$TESTDIR/build}
@@ -52,8 +48,8 @@ fi
 
 # Base image settings
 # The base image is a pristine OS installation created using debootstrap.
-: ${BASEIMGSIZE=1600}
-: ${BASEIMGSUITE=jessie}
+: ${BASEIMGSIZE=1800}
+: ${BASEIMGSUITE=stretch}
 : ${BASEIMGARCH=amd64}
 : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
 : ${BASEIMGMIRROR=http://http.debian.net/debian}
diff --git a/testing/tests/botan/net2net-ed25519/description.txt b/testing/tests/botan/net2net-ed25519/description.txt
new file mode 100755
index 000000000..8c67989f4
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
+<b>moon</b> uses the botan plugin based on the Botan library for all
+cryptographical functions whereas <b>sun</b> uses the default strongSwan
+cryptographical plugins.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-ed25519/evaltest.dat b/testing/tests/botan/net2net-ed25519/evaltest.dat
new file mode 100755
index 000000000..ebbb8ae75
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..508c30a00
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = random pem x509 revocation constraints pubkey botan
+}
+
+charon-systemd {
+  load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
new file mode 100644
index 000000000..491d36430
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk
+-----END PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bcc2742f7
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16 
+            remote_ts = 10.2.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 000000000..e67b224b6
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww
+BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX
+8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..9c5a06945
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..a35aea01c
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
new file mode 100644
index 000000000..b83f62c13
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0
+-----END PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..12cee0fc6
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16 
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 000000000..70af02017
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn
+HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW
+gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh
+bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0
+cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG
+AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq
+8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..9c5a06945
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/posttest.dat b/testing/tests/botan/net2net-ed25519/posttest.dat
new file mode 100755
index 000000000..30f6ede76
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/posttest.dat
@@ -0,0 +1,7 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs8/*
+sun::rm /etc/swanctl/pkcs8/*
diff --git a/testing/tests/botan/net2net-ed25519/pretest.dat b/testing/tests/botan/net2net-ed25519/pretest.dat
new file mode 100755
index 000000000..410253e54
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/swanctl/rsa/moonKey.pem
+sun::rm /etc/swanctl/rsa/sunKey.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-ed25519/test.conf b/testing/tests/botan/net2net-ed25519/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/botan/net2net-pkcs12/description.txt b/testing/tests/botan/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..1d40e30f0
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-pkcs12/evaltest.dat b/testing/tests/botan/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..bfc7e76f1
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
index 365da741f..365da741f 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   pkcs12-moon {
+      file = moonCert.p12
+      secret = "kUqd8O7mzbjXNJKQ"
+   }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
index e2cd2f21d..e2cd2f21d 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   pkcs12-sun {
+      file = sunCert.p12
+      secret = "IxjQVCF3JGI+MoPi"
+   }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/posttest.dat b/testing/tests/botan/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..9802f442d
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/pretest.dat b/testing/tests/botan/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..22ffcf949
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/pretest.dat
@@ -0,0 +1,9 @@
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/botan/net2net-pkcs12/test.conf
index afa2accbe..87abc763b 100644
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/botan/net2net-pkcs12/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/description.txt b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt
new file mode 100755
index 000000000..2db82a941
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> with signatures consisting of
+<b>RSA-encrypted SHA-3 hashes</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat
new file mode 100755
index 000000000..4c56d5299
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..51a7747d7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem x509 revocation constraints pubkey botan random
+}
+
+charon-systemd {
+  load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
new file mode 100644
index 000000000..f24b3ebf3
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq
+pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV
+T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N
+Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt
+UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/
+XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY
+v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA
+G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp
+qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V
+/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK
+8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/
+8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc
+6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G
+NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE
+DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU
+z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD
+01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU
+bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId
+23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/
+Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p
+F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA
+29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/
+XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F
+/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX
+SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu
+8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq
+TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE
+miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ
+p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du
+ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli
+CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6
+dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH
+gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY
+3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc
+gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN
+vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV
+E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bcc2742f7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16 
+            remote_ts = 10.2.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 000000000..bea7e81f8
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky
+MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6
+ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF
+kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9
+ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE
+6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS
+4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW
+GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA
+bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP
+tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u
+LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw
+N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz
+LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT
+UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo
+tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs
+jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl
+noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2
+pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc
+gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA
+5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79
+ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..29ad5b942
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..51a7747d7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem x509 revocation constraints pubkey botan random
+}
+
+charon-systemd {
+  load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
new file mode 100644
index 000000000..a694bbb8f
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K
+ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p
+DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu
+MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO
++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r
+ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H
+WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6
+Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/
+bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex
+ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/
+d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ
+e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI
+zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW
+63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc
+Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n
+vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz
+aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+
+slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20
+pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0
+ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie
+1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL
+c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH
+xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T
+X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K
+qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB
+VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88
+oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF
+dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov
+2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI
+pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN
+VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo
+qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx
+JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8
+ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw
+kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk
+nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq
+hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..12cee0fc6
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16 
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 000000000..f1c086ee9
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky
+MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y
+ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR
+2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/
+W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu
+pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA
+xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC
+ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G
+/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt
+WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5
+/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G
+A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z
+dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg
+NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y
+c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7
+nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0
+cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK
+F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8
+1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB
+hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS
+ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+
+jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw
+MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..29ad5b942
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat
new file mode 100755
index 000000000..755f0e5f8
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat
new file mode 100755
index 000000000..9440ddab0
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/test.conf b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..b2072d1f4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..07178dc5e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,56 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  suffix
+  files
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
index b4c7637ac..377aedf1b 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..27a42d00f
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,53 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  suffix
+  files
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+}
+
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
index b4c7637ac..377aedf1b 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -1,6 +1,6 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option routers 10.1.0.1;
-  option broadcast-address 10.1.255.255;
-  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
-  option netbios-name-servers PH_IP_VENUS;
-
-  # dynamic address pool for visitors
-  range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option routers 10.1.0.1;
-  option broadcast-address 10.1.255.255;
-  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
-  option netbios-name-servers PH_IP_VENUS;
-
-  # dynamic address pool for visitors
-  range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option routers 10.1.0.1;
-  option broadcast-address 10.1.255.255;
-  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
-  option netbios-name-servers PH_IP_VENUS;
-
-  # dynamic address pool for visitors
-  range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt
index 6be21bf8f..876aa7980 100644
--- a/testing/tests/ikev2/host2host-cert/description.txt
+++ b/testing/tests/ikev2/host2host-cert/description.txt
@@ -1,4 +1,6 @@
 A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
index 7e343efa5..dcf573b59 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
@@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
 carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
 carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
index 7e343efa5..dcf573b59 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
 carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
 carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..aa6f98076
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
-	simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..2968646e5 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,13 +2,23 @@ authorize {
   preprocess
   chap
   mschap
-  sim_files
   suffix
+  files
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
   eap {
     ok = return
   }
   unix
-  files
   expiration
   logintime
   pap
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
deleted file mode 100644
index aaabab89e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..aa6f98076 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index 6a4da6631..4069be9ce 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index 9ffd27f1e..f3fdfe6ff 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,10 +1,6 @@
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt
index c74897d9a..9bef3cd18 100644
--- a/testing/tests/ikev2/nat-rw-psk/description.txt
+++ b/testing/tests/ikev2/nat-rw-psk/description.txt
@@ -1,6 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
 the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
 ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt
index dcf4b94bd..58b28bad2 100644
--- a/testing/tests/ikev2/nat-rw/description.txt
+++ b/testing/tests/ikev2/nat-rw/description.txt
@@ -1,5 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
 the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
 ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt
index 02cddbb83..07320d731 100644
--- a/testing/tests/ikev2/net2net-psk/description.txt
+++ b/testing/tests/ikev2/net2net-psk/description.txt
@@ -1,6 +1,7 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
index 6d886024b..893a27230 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
@@ -1,9 +1,11 @@
-at the outset the gateway authenticates itself to the client by sending an
-IKEv2 <b>RSA signature</b> accompanied by a certificate.
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
 In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
 uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
index 1277081b9..da5b72735 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
@@ -1,7 +1,8 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..ba92f0080
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Framed-IP-Address = 10.3.0.1
+dave	Cleartext-Password := "W7R0g3do"
+		Framed-IP-Address = 10.3.0.2
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Class = "Research"
+dave	Cleartext-Password := "W7R0g3do"
+		Class = "Accounting"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
index 303139615..e63c57e72 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
index d376ee5a8..08fd89b65 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
@@ -1,7 +1,7 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with an  <i>MD5</i> challenge and response protocol
-(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
-is kept in <b>ipsec.secrets</b> on both gateway and client 
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
index 4feadff4c..95afc08b5 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
@@ -1,8 +1,10 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Microsoft CHAP version 2</i> protocol
-(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
-e.g. by the Windows 7 Agile VPN client.
-In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
-to authenticate itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..0ae8befe4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+  md5 {
+  }
+  default_eap_type = peap
+
+  tls-config tls-common {
+    private_key_file = ${certdir}/aaaKey.pem
+    certificate_file = ${certdir}/aaaCert.pem
+    ca_file = ${cadir}/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = ${certdir}/dh
+    random_file = ${certdir}/random
+  }
+
+  peap {
+    tls = tls-common
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+  filter_username
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    update outer.session-state {
+      &Module-Failure-Message := &request:Module-Failure-Message
+    }
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
index 0531a559f..41abb363c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
@@ -1,13 +1,13 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b> and
-the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
 which also uses static triplets. In addition to her IKEv2 identity
 <b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
 identity <b>228060123456001</b>.
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
-	simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
index 893529324..1dc666992 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,5 +1,16 @@
 authorize {
-  sim_files
+  files
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
   eap {
     ok = return
   }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
index e69de29bb..1c281a974 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 122ee2283..53aa83f0c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,8 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-alice::cat /etc/freeradius/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
index d50175664..26de3c982 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The gateway <b>moon</b> does not send an AUTH payload thus signalling
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
 a mutual <b>EAP-only</b> authentication.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
 The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
 The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
-	simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
index fbdf75f4c..8d68b81fc 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,6 +1,17 @@
 authorize {
-  sim_files
+  files
   suffix
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
   eap {
     ok = return
   }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
index e69de29bb..a74267d30 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 9614686c2..04b824def 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -7,10 +7,9 @@ dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/freeradius/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
index 6c3c71987..5cb1bacdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
 The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
 The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
-	simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..51b64a74b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,19 @@ authorize {
   preprocess
   chap
   mschap
-  sim_files
+  files
   suffix
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
   eap {
     ok = return
   }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
index e69de29bb..a74267d30 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index 52d5962f4..e171997bc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,13 +1,9 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
index 686241809..4401e679f 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
@@ -1,7 +1,8 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
-to authenticate against the gateway. In this scenario triplets from the file
-<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
-itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e8670dbb7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,16 @@
+eap {
+  default_eap_type = tls
+
+  tls-config tls-common {
+    private_key_file = ${certdir}/aaaKey.pem
+    certificate_file = ${certdir}/aaaCert.pem
+    ca_file = ${cadir}/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = ${certdir}/dh
+    random_file = ${certdir}/random
+  }
+
+  tls {
+    tls = tls-common
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..060702784
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,55 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index ef5666914..6907b7657 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -9,7 +9,3 @@ charon {
     }
   }
 }
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 576d2cb99..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	rightauth=any
-	rightsubnet=10.1.0.0/16
-	rightsendcert=never
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index fa1febe0f..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ba52ec31e..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	rightauth=any
-	rightsubnet=10.1.0.0/16
-	rightsendcert=never
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index d5631a9f5..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index fa1febe0f..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 738481257..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 0ff7725ca..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-   }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
deleted file mode 100644
index dccf85419..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7450c71c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+
+  tls-config tls-common {
+    private_key_file = ${certdir}/aaaKey.pem
+    certificate_file = ${certdir}/aaaCert.pem
+    ca_file = ${cadir}/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = ${certdir}/dh
+    random_file = ${certdir}/random
+  }
+
+  ttls {
+    tls = tls-common
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+  filter_username
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    update outer.session-state {
+      &Module-Failure-Message := &request:Module-Failure-Message
+    }
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..dafe7f052
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,64 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+listen {
+  type = acct
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index 98f7a6954..66416eb28 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 moon::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
 alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
 carol::iptables-restore < /etc/iptables.flush
 moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 7ec7c1226..d3c345200 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
-alice::radiusd
+alice::freeradius
 moon::ipsec start
 carol::ipsec start
 moon::expect-connection rw-eap
diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
index 186ce4e06..c792f3a7e 100644
--- a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
index 186ce4e06..c792f3a7e 100644
--- a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
index 4cf23a31b..d2db56eb8 100644
--- a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
index 4cf23a31b..d2db56eb8 100644
--- a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 803cf5ef5..5fef8bbb1 100644
--- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 803cf5ef5..5fef8bbb1 100644
--- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
index 0e125b70e..c3bbe341f 100644
--- a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
index 0e125b70e..c3bbe341f 100644
--- a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
index f6dc9aa3e..5178076a3 100644
--- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
index f6dc9aa3e..5178076a3 100644
--- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
index 16982a736..52e4bf623 100644
--- a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
index 16982a736..52e4bf623 100644
--- a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
index 5ae9d2c12..7a6fc302e 100644
--- a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
@@ -4,6 +4,6 @@ moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
 sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
index 0dfba54ea..6e6de5e96 100644
--- a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
@@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
 moon::ip xfrm state::mode transport::YES
 sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
index ef6ec2b98..b7b92d020 100644
--- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
index 23add7ae5..f3068ce8b 100644
--- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
index 877459c88..bbf6c2ea3 100644
--- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
index a3e2bad94..97e0de01c 100644
--- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 591e2da59..f85d6127f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
 sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 2ee553a61..b776ea938 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
 sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
index 72dade743..21569bdaa 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
 sun::  cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat
index 1202a99d2..a199765a0 100644
--- a/testing/tests/ipv6/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat
index d5d5a6b1c..aa450e296 100644
--- a/testing/tests/ipv6/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
index 026235171..394521b25 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES
 dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
 moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
index dd120f524..f4c8851c0 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES
 dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
 moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
index e92aa028d..5009bf41f 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
@@ -1,6 +1,6 @@
 
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
index ce79801ec..b748003e8 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
index 082416d60..9016ba473 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block c
 moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
 carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
 dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat
index 736425d36..659ca42ab 100644
--- a/testing/tests/ipv6/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat
@@ -1,6 +1,6 @@
 moon::ip xfrm state::mode transport::YES
 sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat
index 48ddcd069..a754598f9 100644
--- a/testing/tests/ipv6/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat
@@ -1,6 +1,6 @@
 moon::ip xfrm state::mode transport::YES
 sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
 moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
 sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
index e9a30b9ac..cdb8ead3c 100644
--- a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
+++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES
+alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES
 moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES
 sun  ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES
 sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt
index b3515c333..4b8eeb87e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt
@@ -1,4 +1,3 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index 937860593..68edc54b7 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 4628311d4..000000000
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia256-sha512-modp3072!
-	esp=camellia192-sha384!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bdde28391
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = camellia192-sha384
+         }
+      }
+      version = 1
+      proposals = camellia256-sha512-modp3072
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index da1fbf06b..000000000
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia256-sha512-modp3072!
-	esp=camellia192-sha384!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..116e06c26
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = camellia192-sha384
+         }
+      }
+      version = 1
+      proposals = camellia256-sha512-modp3072
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index 046d4cfdc..2b00bea8e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index e34f70277..ae2c30429 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection net
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
 plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
 ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
 fall back to ECP_384 and ECP_521, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 553c79451..2cc3382df 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -1,15 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2ed83f06a..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..3ed559068
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 105ec3ce4..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b5a2be9e8
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 0a312b394..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7c5b3080d
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+         }
+      }
+      version = 1
+      proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 84b6eb4bf..c365455d0 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -1,17 +1,17 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
 ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
 fall back to ECP_224 and ECP_256, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 327d63bf8..183f5e97f 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -1,17 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 6fe17a9ee..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..013e6b1bc
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+         }
+      }
+      version = 1
+      proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ade897727..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4f5c016c2
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+         }
+      }
+      version = 1
+      proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 3992b52fb..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..417ad0508
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+         }
+      }
+      version = 1
+      proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
index 4f855eb1a..3bbcdfa32 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
@@ -1,11 +1,12 @@
 The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
 based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
 using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+</p>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 9a8516dad..2127b2bf4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -1,11 +1,3 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
 moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES
@@ -14,6 +6,10 @@ carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECD
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 1527867c7..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
index c277ba4f6..c277ba4f6 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..abf46a755
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   ecdsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ed9410c04..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
index 40a76935e..40a76935e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..3981ac2ea
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-ecp384
+         }
+      }
+      version = 1
+      proposals = aes256-sha384-ecp384
+   }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 359029d02..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1ddf9621e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+         }
+      }
+      version = 1
+      proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 1865a1c60..3d10c0f1f 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/ecdsa/carolKey.pem
+dave::rm /etc/swanctl/ecdsa/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,11 +1,14 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
deleted file mode 100644
index cfa7a11b9..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
-<p/>
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
-(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
-respectively.
-<p/>
-Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
-(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
-respectively.
-<p/>
-A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
deleted file mode 100644
index 44bd75895..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
+++ /dev/null
@@ -1,26 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
-carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
-dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
-moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c0016ff61..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256gcm128-prfsha512-modp2048!
-	esp=aes256gcm128-modp2048!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4a7e09c6a..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 335eda02c..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-modp1536!
-	esp=aes128gcm128-modp1536!
-
-conn home
-	left=PH_IP_DAVE
-	leftfirewall=yes
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 99069ae82..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 566298bed..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
-	esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4a7e09c6a..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
deleted file mode 100644
index e87a8ee47..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
deleted file mode 100644
index d30d9d2da..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b>
-use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all
-cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
-encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
deleted file mode 100644
index a4f1f2998..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
-dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index adee238e6..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=blowfish256-sha512-modp2048!
-	esp=blowfish192-sha384!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index e22322431..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=blowfish128-sha256-modp1536!
-	esp=blowfish128-sha256!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 43bbb36a9..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
-	esp=blowfish192-sha384,blowfish128-sha256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
deleted file mode 100644
index e87a8ee47..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt
index b3515c333..4b8eeb87e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt
@@ -1,4 +1,3 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index 937860593..8a2e36baa 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f0bbfc10f..000000000
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=camellia256-sha512-modp3072!
-	esp=camellia192-sha384!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ebdb473fb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = camellia192-sha384
+         }
+      }
+      version = 2
+      proposals = camellia256-sha512-modp3072
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 8481f8974..000000000
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=camellia256-sha512-modp3072!
-	esp=camellia192-sha384!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..90c566bb6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = camellia192-sha384
+         }
+      }
+      version = 2
+      proposals = camellia256-sha512-modp3072
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 046d4cfdc..2b00bea8e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index e34f70277..ae2c30429 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection net
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
index d0ae5a823..e37d5489c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
@@ -1,17 +1,17 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
 plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_256_BP and ECP_384_BP whereas
 <b>dave</b> proposes ECP_256_BP and ECP_512_B P. Since <b>moon</b> does not support
 ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
index ebc7752f2..746d90280 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES
 dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index bfca8965f..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..893130d66
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256bp,aes192gcm16-ecp384bp
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256bp,aes192-sha384-ecp384bp
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 2b16165dc..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e522d15d7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256bp,aes256gcm16-ecp512bp
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256bp,aes256-sha512-ecp512bp
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 8c02c9fea..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..93fc75e14
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm16-ecp384bp,aes256gcm16-ecp512bp
+         }
+      }
+      version = 2
+      proposals = aes192-sha384-ecp384bp,aes256-sha512-ecp512bp
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
index 78eb0ffb3..35323dab6 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
@@ -1,17 +1,16 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_384_BP and ECP_224_BP whereas
-<b>dave</b> proposes ECP_192_BP and ECP_256_BP. Since <b>moon</b> does not support
+<b>dave</b> proposes ECP_384_BP and ECP_256_BP. Since <b>moon</b> does not support
 ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
index ff9fb202c..1c64d0f16 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES
 dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index be85b6c1e..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..deba223ce
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm16-ecp384bp,3des-sha256-ecp224bp
+         }
+      }
+      version = 2
+      proposals = aes192-sha384-ecp384bp,3des-sha256-ecp224bp
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 1adedc048..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ab8fcf6a3
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm16-ecp384bp,aes128gcm16-ecp256bp
+         }
+      }
+      version = 2
+      proposals = aes192-sha384-ecp384bp,aes128-sha256-ecp256bp
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index b4cd86c60..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c12a7d4c6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha256-ecp224bp,aes128gcm16-ecp256bp
+         }
+      }
+      version = 2
+      proposals = 3des-sha256-ecp224bp,aes128-sha256-ecp256bp
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
 plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
 ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
 fall back to ECP_384 and ECP_521, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 4cee48d89..07ad135d8 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,17 +1,11 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
 dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2fd776e25..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..46942c7e2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 8d8989ed7..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..828c4d6c7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index addcc6175..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..18a98ad6e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+         }
+      }
+      version = 2
+      proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
index 84b6eb4bf..c365455d0 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
@@ -1,17 +1,17 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
 ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
 fall back to ECP_224 and ECP_256, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index 818082ca8..88fe3a1e3 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
 dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index b754c29ba..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e21bcd3b5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+         }
+      }
+      version = 2
+      proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index b5e9215c5..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f38c4353b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 2e4a15ec3..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5caa77eb9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt
index 8c0d37c88..4f472b83b 100644
--- a/testing/tests/openssl-ikev2/critical-extension/description.txt
+++ b/testing/tests/openssl-ikev2/critical-extension/description.txt
@@ -1,5 +1,5 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
 The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
 extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
 <b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
index cc904c8bc..e91ba2b82 100644
--- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,4 @@
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
 sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index a72c82525..f2104c5f8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
   multiple_authentication = no
+}
 
+libstrongswan {
   x509 {
     enforce_critical = no
   }
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
index 4d99866f7..4d99866f7 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b0aa32a5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
index 7f78d5820..7f78d5820 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index d67640548..77d858547 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
index d8fad9aad..d8fad9aad 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bb068bdbe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+             esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
index c1efb6719..c1efb6719 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index 837738fc6..83cd75a5d 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::rm /etc/swanctl/x509/moonCert.der
+sun::rm /etc/swanctl/x509/sunCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 08ca6b54c..cc8d9d74f 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,7 +1,7 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::rm /etc/swanctl/x509/moonCert.pem
+sun::rm /etc/swanctl/x509/sunCert.pem
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index b286ef6eb..d3016a886 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
- 
+
 # Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
index 4f855eb1a..3bbcdfa32 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
@@ -1,11 +1,12 @@
 The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
 based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
 using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+</p>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 18fdacfff..a018f735d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -1,17 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c562e359c..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
index c277ba4f6..c277ba4f6 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..06c23a791
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   ecdsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 62a62a463..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index d94b17950..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-  signature_authentication = no
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
index 40a76935e..40a76935e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f7eb029b0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-ecp384
+         }
+      }
+      version = 2
+      proposals = aes256-sha384-ecp384
+   }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index c5e5e61b0..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0d99a8189
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+         }
+      }
+      version = 2
+      proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 1865a1c60..3d10c0f1f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/ecdsa/carolKey.pem
+dave::rm /etc/swanctl/ecdsa/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,11 +1,14 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 46eaccd7a..a018f735d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c562e359c..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem
index d043dfd6d..d043dfd6d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..048f3bbf9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   pkcs8-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 62a62a463..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 56f6e6365..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem
index c32137ef9..c32137ef9 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..8557928c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-ecp384
+         }
+      }
+      version = 2
+      proposals = aes256-sha384-ecp384
+   }
+}
+
+
+secrets {
+
+   pkcs8-dave {
+      file = daveKey.pem
+      secret = "OJlNZBx+80dLh4wC6fw5LmBd"
+   }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index c5e5e61b0..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128gcm16!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0d99a8189
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+         }
+      }
+      version = 2
+      proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 1865a1c60..ff2860e45 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/pkcs8/carolKey.pem
+dave::rm /etc/swanctl/pkcs8/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,11 +1,14 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
deleted file mode 100644
index 468c5f7ee..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index fcb9d839f..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-modp3072!
-	esp=aes128gcm16!
-	mobike=no
-
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.asc
-	leftid=@#71270432cd763a18020ac988c0e75aed
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightcert=sunCert.asc
-	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 6524773e0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index afb1ff927..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index aea93d234..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
-}
-
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 91d6ef5d8..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-modp3072!
-	esp=aes128gcm16!
-	mobike=no
-	
-conn net-net
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftcert=sunCert.asc
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=moonCert.asc
-	rightid=@#71270432cd763a18020ac988c0e75aed
-	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index de2393649..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index ee98b1611..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index aea93d234..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
-}
-
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
deleted file mode 100644
index 9a9513dc3..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
deleted file mode 100644
index 969c42337..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
index e66ea1918..1d40e30f0 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
@@ -2,7 +2,7 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
 The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
 <b>PKCS12</b> format.
 <p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
index fe4aa5ab1..bfc7e76f1 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 195710a7f..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-modp3072!
-	esp=aes128gcm16!
-	mobike=no
-
-conn net-net 
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 802cfc681..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
index 2448837f3..a8ed13448 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown
+  load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
new file mode 100644
index 000000000..365da741f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   pkcs12-moon {
+      file = moonCert.p12
+      secret = "kUqd8O7mzbjXNJKQ"
+   }
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 292fbeeb6..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-modp3072!
-	esp=aes128gcm16!
-	mobike=no
-
-conn net-net 
-	left=PH_IP_SUN
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index 3dc85528c..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
-
-
-
-
-
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
index 2448837f3..a8ed13448 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown
+  load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
new file mode 100644
index 000000000..e2cd2f21d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   pkcs12-sun {
+      file = sunCert.p12
+      secret = "IxjQVCF3JGI+MoPi"
+   }
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
index 0fbba487c..9802f442d 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/private/moonCert.p12
-sun::rm /etc/ipsec.d/private/sunCert.p12
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
index 47e6d8604..22ffcf949 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -1,11 +1,9 @@
-moon::rm /etc/ipsec.d/private/moonKey.pem
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-sun::rm /etc/ipsec.d/private/sunKey.pem
-sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
index 646b8b3e6..87abc763b 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
- 
+
 # Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt
index b16faad06..ca738a1d4 100644
--- a/testing/tests/openssl-ikev2/rw-cert/description.txt
+++ b/testing/tests/openssl-ikev2/rw-cert/description.txt
@@ -1,11 +1,12 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
 plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
 functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+plugins <b>aes des sha1 sha2 hmac gmp</b> and <b>x509</b>.
+<p/>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
 automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index be78c5125..572a138a6 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 213cd70fa..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 8197ea8b1..996be95f5 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
+  load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e8504addb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha1-modp2048
+         }
+      }
+      version = 2
+      proposals = 3des-sha1-modp2048
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 653316fde..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 058abcad7..f2b8046e0 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..27c6f12ba
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 16299b339..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 8197ea8b1..996be95f5 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
+  load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..aa8d6167a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072,3des-sha1-modp2048
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 1865a1c60..b909ac76c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 974c22530..61fc17ba2 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,12 +1,11 @@
-moon::iptables-restore < /etc/iptables.rules
+mmoon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-# moon runs crypto tests, so make sure it is ready
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
deleted file mode 100644
index 5b525ef06..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
-carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES
-carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f3d7a807c..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128-sha256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
-	rightauth=any
-	rightsubnet=10.1.0.0/16
-	rightsendcert=never
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 646f6e8e3..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C
-Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+
-aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u
-Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0
-cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n
-c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA
-7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm
-q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE
-gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index c277ba4f6..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C
-
-CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH
-7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB
-71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index f5b116b3b..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 2236a5f71..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256!
-	esp=aes128-sha256!
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftauth=eap-tls
-	leftfirewall=yes
-	rightauth=eap-tls
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index a4962286e..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI
-zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr
-dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx
-JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu
-M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl
-8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB
-7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G
-A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr
-aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq
-hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT
-tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8
-ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN
-Vjo6NkA=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 24f07b5d7..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B
-qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb
-Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ
-7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd
-lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4aa2068f4..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown
-  multiple_authentication=no
-  syslog {
-    daemon {
-      tls = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
deleted file mode 100644
index 046d4cfdc..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
deleted file mode 100644
index 26e42c4b7..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>128 bit</b>
-security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
-authenticated encryption.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
deleted file mode 100644
index b00c4cd40..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 61e13df41..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-ecp256!
-	esp=aes128gcm128-ecp256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 646f6e8e3..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C
-Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+
-aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u
-Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0
-cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n
-c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA
-7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm
-q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE
-gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index c8c12c3b7..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAgyh91hjqzCuAICCAAw
-HQYJYIZIAWUDBAECBBBZwepsRENncvW5UJ/blAqmBIGQZdbHnD3PWEbUXZJPkbIK
-VvJZkd2+k12IxdShMWwCeW93R+3nj+7T0NPAQqMbuqz51zgO+SuXDupUIKdLHKMy
-vdasLrbA3fe7YFVlxQjB6fB69V059ifi61OCIO/KfC7Je4ff3TZVwJcUYpduPIkQ
-BZAw46T0JtrXltFgxxGYnnTlzuYW6EDB3l6Fwb2zCyZm
------END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
-  initiator_only = yes
-  integrity_test = yes
-
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 22fcb3eb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-ecp256!
-	esp=aes128gcm128-ecp256!
-
-conn peer
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_CAROL
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 0f6315794..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7TCCAlCgAwIBAgIBEjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMzUyNFoXDTIzMDYxMTEyMzUyNFowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATRc+i666sxHVohZ/4ld8ffz2xoa+x9+7TzM689nczQ
-oZMs3+AJIjjNzdjvEe6kPHW73p51IdtlVF97Ib62hgQuo4IBEzCCAQ8wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDA3QkktCD5ZvWeiepNeQPWpcKP8
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYETZGF2ZUBzdHJv
-bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
-YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GKADCBhgJBOrfM
-xT0Cn1uXVvuS977ANQZwzAX4O9y5POFXBkDKLFPL9hgWg7jxhREkDRcvViovMmiM
-EAjoEZLD8SysfYrRZxcCQXtgWTfS2GAIDSQS1of1so/8Z/xZdfoIWxRoZ/xmH7jY
-Yt3wK6yGjziEbX9LGN4MkOwkJKjEkTwbTygv7Wt3arz/
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index a4041c5fa..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEICEAikut4YuFnv6vLE/7Lk+LmQ+ic35apftbhu2+TICQoAoGCCqGSM49
-AwEHoUQDQgAE0XPouuurMR1aIWf+JXfH389saGvsffu08zOvPZ3M0KGTLN/gCSI4
-zc3Y7xHupDx1u96edSHbZVRfeyG+toYELg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
-  initiator_only = yes
-  integrity_test = yes
-
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f7044e51d..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekey=no
-	reauth=no
-	keyexchange=ikev2
-	ike=aes128gcm128-prfsha256-ecp256!
-	esp=aes128gcm128-ecp256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index 961c8bec8..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7jCCAlCgAwIBAgIBEzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzE0MzEzMVoXDTIzMDYxMTE0MzEzMVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATCqc/Wov++N8wvG3IhsEAxa38bxoIBPQZeOqMyi/lV
-breEsOSJD/POV3gkt1lKOaQ502XdJcjdAvCqjtbpzCMWo4IBEzCCAQ8wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFAtkayAwMYDQqnlKDRvm7HNCIxY8
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYITbW9vbi5zdHJv
-bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
-YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GLADCBhwJBVnfl
-l9eV6R+jNdUCuz+yDdM7c1UpQ+Qy7rtXq50KZY7d1xJsTk152LxXIkO8EJnHmO4l
-s39RHlGXItWcYGffXIICQgCLB+R8QFnMcKlgpjrxsuO/Ljg1RcMav3y3zaHJJJLT
-eJBEL7RhDaPGcJ/hKU4TPwvSEIkswQaDnN+oAZiz/gFDUw==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index c0a8c852b..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIG7fewqQ4RTIWsck4m9ftByXOl4X0va0RtYqdbiF9CAHoAoGCCqGSM49
-AwEHoUQDQgAEwqnP1qL/vjfMLxtyIbBAMWt/G8aCAT0GXjqjMov5VW63hLDkiQ/z
-zld4JLdZSjmkOdNl3SXI3QLwqo7W6cwjFg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index feb5d79a6..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
-  integrity_test = yes
-
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
deleted file mode 100644
index 290f57e69..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-dave::expect-connection peer
-dave::ipsec up peer
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
deleted file mode 100644
index b8cb4fb8b..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>192 bit</b>
-security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
-authenticated encryption.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
deleted file mode 100644
index 3de5c94e0..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 14146ef01..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256gcm128-prfsha384-ecp384!
-	esp=aes256gcm128-ecp384!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index f3f4c6671..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDjCCAm+gAwIBAgIBETAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMzQzMloXDTIzMDYxMTEyMzQzMlowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
-zj0CAQYFK4EEACIDYgAExm8lmoXGUfLL8xzhhQFmadz7SjPdubASbH9m+t7h30OV
-yo+NPmtve7uqrWzttyWfqR7tFSOLtP5joj8U9E580ilT/2MsjVQJpKOFpYaggPUK
-f+fhRwfQMUunyyAoIRSbo4IBFDCCARAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gw
-HQYDVR0OBBYEFCQeIdu6skXTNWUg5w1Eb9HR1dU2MHgGA1UdIwRxMG+AFLpd+XG2
-E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
-dXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA
-9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwPAYDVR0f
-BDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2Fu
-X2VjLmNybDAKBggqhkjOPQQDAgOBjAAwgYgCQgGptTrYfjcWM+P66K5W+sq1d4X6
-E0+I2lXRKRiku2vPjpTQZJim4k4pAJNC19R2CCJMBgqab1ROUUsHMMHBNcyR/gJC
-AN6S1J68o3UTQwAyN/zXW4ur8cxsPKV9uZYoz7O6Snz+eTliz/g8NPtfLYUseCii
-VoXhdWwKkiRd8Cjck+RJHVWh
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 713942d7f..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI1OV1cAp5SZcCAggA
-MB0GCWCGSAFlAwQBFgQQ1SGtVnno2vKhkF+iPT6vygSBwFZQrciZs2FN8cDI0x9c
-3OFxbaRawXnagMlpYq/To268rDFtcKGBN7JxwBaFGJw4NFrU/sOu2NkhLuA/Jbaz
-w75aQ/MjTeOtwy2PS62J/+T1zqCdfpfCJYeYCc2CPd3E21FbsW0Mmfw1b8vZ2YeS
-lsd9jvY/bob4tH68J1ZqErOLaCU0EXPgqlZiLhcDIwfZJDqrZ5xFHk3mcjB6Pc4O
-TWwJN+elQoxd29HSASw9plO2p1DRDpSZPTU67UDXDOWfJA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
-  initiator_only = yes
-  integrity_test = yes
-
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index b81e9b277..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256gcm128-prfsha384-ecp384!
-	esp=aes256gcm128-ecp384!
-
-conn peer
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_CAROL
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 35b3df49a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
-PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5
-7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ
-rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd
-BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT
-tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
-eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2
-onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
-MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
-Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq
-duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2
-d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP
-GnRyvRuhwRkbBIGt6l1mbA==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index 40a76935e..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n
-2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco
-AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B
-Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
-  initiator_only = yes
-  integrity_test = yes
-
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f37dae945..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekey=no
-	reauth=no
-	keyexchange=ikev2
-	ike=aes256gcm128-prfsha384-ecp384!
-	esp=aes256gcm128-ecp384!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index a71ffdca1..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCzCCAm2gAwIBAgIBFDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzE0MzE1MVoXDTIzMDYxMTE0MzE1MVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
-PQIBBgUrgQQAIgNiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q4+MyOBab2jzM
-AVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSBwyYzL9+Nhnam
-F6qMSaPBnIE2CK2hgqGjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd
-BgNVHQ4EFgQUT4FEmRbCvjxKsXqruiQgzC50pj0weAYDVR0jBHEwb4AUul35cbYT
-tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
-eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2
-onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
-MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
-Yy5jcmwwCgYIKoZIzj0EAwIDgYsAMIGHAkIAhHCvrcHfCJbPcNDdyT4x3F3V2wq7
-96TzcVzlLJ+zSxr3Xo3eqOZaxAlnnoI4aQIukZ0RXzSCebDrOL9+k+5uRakCQU9k
-W5MphqYKOys+lQmpKBEnzZlM1QvFfUUiXwoxN8Ilc9c0nSVXKl9m/uPgP7GZjvaE
-J4juvRKmi2nMoxWIJtMt
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index ba7520f6c..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDuG7KDU5nek/TFvZQIxg89wevYYa1/EDyQHLFanmbK1DTx07Wv9D/b
-BL5sHWEPNMGgBwYFK4EEACKhZANiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q
-4+MyOBab2jzMAVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSB
-wyYzL9+NhnamF6qMSaPBnIE2CK2hgqE=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index feb5d79a6..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
-  integrity_test = yes
-
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-
-  plugins {
-    openssl {
-      fips_mode = 2
-    }
-  }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
deleted file mode 100644
index 290f57e69..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-dave::expect-connection peer
-dave::ipsec up peer
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
index 6e427b265..a067f6ded 100644
--- a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
+++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
@@ -2,8 +2,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED
 dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
 moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES
 moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
index 63c8b6414..c483dec2b 100644
--- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
 dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat
index de62af271..1cc8d8240 100755
--- a/testing/tests/swanctl/config-payload/evaltest.dat
+++ b/testing/tests/swanctl/config-payload/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option routers 10.1.0.1;
-  option broadcast-address 10.1.255.255;
-  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
-  option netbios-name-servers PH_IP_VENUS;
-
-  # dynamic address pool for visitors
-  range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat
index f7af441a4..61c94618b 100755
--- a/testing/tests/swanctl/frags-ipv6/evaltest.dat
+++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat
@@ -11,8 +11,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
 moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
 moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
-alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES
-alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org.*: icmp_seq=1::YES
+alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org.*: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/swanctl/host2host-cert/description.txt
new file mode 100755
index 000000000..8f7e6e9f4
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat
new file mode 100755
index 000000000..29cd8bfbd
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/evaltest.dat
@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..42176e76d
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..eeaaeab1d
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat
new file mode 100755
index 000000000..3d7248cc8
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat
new file mode 100755
index 000000000..b42dce654
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/swanctl/host2host-cert/test.conf
new file mode 100755
index 000000000..52d886dcc
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt
new file mode 100755
index 000000000..bc5a1299b
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/description.txt
@@ -0,0 +1,6 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
+is successfully set up. The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat
new file mode 100755
index 000000000..8b103d087
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/evaltest.dat
@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c1e33eca3
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0e94678e4
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+   host-host {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat
new file mode 100755
index 000000000..3d7248cc8
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat
new file mode 100755
index 000000000..b42dce654
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/swanctl/host2host-transport/test.conf
new file mode 100755
index 000000000..52d886dcc
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat
index 130a0b918..5133e426f 100755
--- a/testing/tests/swanctl/ip-pool-db/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
 moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
index 51ac523b8..36ab6c119 100755
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/swanctl/ip-two-pools-db/description.txt
new file mode 100755
index 000000000..4bad7b1b7
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/description.txt
@@ -0,0 +1,14 @@
+The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
+from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
+[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
+IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
+the <b>eth1</b> (PH_IP_MOON1) interface.
+Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
+respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
+respectively.
+<p>
+By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
+spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
+demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
+of <b>carol</b> and <b>venus</b>.
diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
new file mode 100755
index 000000000..16dc23669
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
@@ -0,0 +1,35 @@
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
+venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
+venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
+
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7dfef4e38
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 10.1.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..fca6efb2e
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1f0b361ec
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..fba531a52
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/db.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+  database = sqlite:///etc/db.d/ipsec.db
+}
\ No newline at end of file
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d719d7aad
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,48 @@
+connections {
+
+   ext {
+      local_addrs  = 192.168.0.1
+      pools = extpool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         ext {
+            local_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+
+   int {
+      local_addrs  = 10.1.0.1
+      pools = intpool
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         int {
+            local_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..906b7bdea
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 10.1.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.3.0.0/16,10.4.0.0/16
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/swanctl/ip-two-pools-db/posttest.dat
new file mode 100755
index 000000000..cbb2c2498
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/posttest.dat
@@ -0,0 +1,18 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::ip route del 10.3.0.0/16 via PH_IP_MOON
+moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
+moon::ipsec pool --del extpool 2> /dev/null
+moon::ipsec pool --del intpool 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+
diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/swanctl/ip-two-pools-db/pretest.dat
new file mode 100755
index 000000000..7229eee7c
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/pretest.dat
@@ -0,0 +1,30 @@
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+moon::ipsec pool --statusattr 2> /dev/null
+moon::ip route add 10.3.0.0/16 via PH_IP_MOON
+moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+moon::expect-connection int
+moon::expect-connection ext
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
+venus::expect-connection home
+venus::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/swanctl/ip-two-pools-db/test.conf
index 05d40f98d..9394e0289 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf
+++ b/testing/tests/swanctl/ip-two-pools-db/test.conf
@@ -5,7 +5,7 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
@@ -13,20 +13,16 @@ DIAGRAM="a-v-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="alice venus carol dave"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS="alice"
+IPSECHOSTS="alice venus moon carol dave"
 
 # Guest instances on which databases are used
 #
-DBHOSTS="alice"
+DBHOSTS="moon"
 
 # charon controlled by swanctl
 #
diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt
new file mode 100755
index 000000000..df9f54a66
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
+Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
+<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
+virtual IP addresses from  <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
+connecting to the <b>eth1</b> (10.1.0.1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat
new file mode 100755
index 000000000..cb3b60f4d
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/evaltest.dat
@@ -0,0 +1,18 @@
+moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..509fe678f
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 10.1.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..60b216e62
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..cf4e54024
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,55 @@
+connections {
+
+   rw1 {
+      local_addrs  = 192.168.0.1
+      pools = pool1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         rw1 {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+
+   rw2 {
+      local_addrs  = 10.1.0.1
+      pools = pool2
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         rw2 {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+pools {
+   pool1 {
+      addrs = 10.3.0.0/28
+   }
+   pool2 {
+      addrs = 10.4.0.0/28
+   }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat
new file mode 100755
index 000000000..0cfeeb120
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+alice::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat
new file mode 100755
index 000000000..95a32febc
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/swanctl/ip-two-pools/test.conf
index f29298850..5f67b7ed5 100644..100755
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/swanctl/ip-two-pools/test.conf
@@ -9,13 +9,17 @@ VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-m-c-w.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="carol alice"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..aa6f98076
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
-	simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..51b64a74b 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,19 @@ authorize {
   preprocess
   chap
   mschap
-  sim_files
+  files
   suffix
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
   eap {
     ok = return
   }
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
deleted file mode 100644
index aaabab89e..000000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..aa6f98076 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
index 010a4f9c4..93b379348 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
 carol::systemctl stop strongswan-swanctl
 dave::systemctl stop strongswan-swanctl
 moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
+alice::killall freeradius
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
index 57d39a5e6..10150f03c 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,10 +1,6 @@
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
 moon::systemctl start strongswan-swanctl
 carol::systemctl start strongswan-swanctl
 dave::systemctl start strongswan-swanctl
diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/swanctl/nat-rw-psk/description.txt
new file mode 100644
index 000000000..7754c7f39
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat
new file mode 100644
index 000000000..cd171e8c9
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/evaltest.dat
@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2d601c122
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = 10.1.0.10
+      }
+      remote {
+         auth = psk
+         id = 192.168.0.2
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-sun {
+      id = 192.168.0.2
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7625e5066
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f7a542d4d
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   nat-t {
+      local_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = 192.168.0.2
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         nat-t {
+            local_ts = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-alice {
+      id = 10.1.0.10
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   ike-venus {
+      id = 10.1.0.20
+      secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+   }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..654489dfc
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = 10.1.0.20
+      }
+      remote {
+         auth = psk
+         id = 192.168.0.2
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-sun {
+      id = 192.168.0.2
+      secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+   }
+}
+
diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/swanctl/nat-rw-psk/posttest.dat
new file mode 100644
index 000000000..a41653640
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/posttest.dat
@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/swanctl/nat-rw-psk/pretest.dat
new file mode 100644
index 000000000..906c5b006
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/pretest.dat
@@ -0,0 +1,16 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/swanctl/nat-rw-psk/test.conf
new file mode 100644
index 000000000..ecc95b837
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/swanctl/nat-rw/description.txt
new file mode 100644
index 000000000..1ee91b74d
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat
new file mode 100644
index 000000000..ae6aaed33
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/evaltest.dat
@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun::  swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun::  swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..61f769637
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.10
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7625e5066
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..637260de8
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   nat-t {
+      local_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            local_ts = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0ea7c4055
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   nat-t {
+      local_addrs  = 10.1.0.20
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         nat-t {
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/swanctl/nat-rw/posttest.dat
new file mode 100644
index 000000000..a41653640
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/posttest.dat
@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/swanctl/nat-rw/pretest.dat
new file mode 100644
index 000000000..63c9d359e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/pretest.dat
@@ -0,0 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/swanctl/nat-rw/test.conf
new file mode 100644
index 000000000..ecc95b837
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/swanctl/net2net-psk/description.txt
index bd680b57a..e064a99de 100644..100755
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
+++ b/testing/tests/swanctl/net2net-psk/description.txt
@@ -1,6 +1,7 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat
new file mode 100755
index 000000000..4c56d5299
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5e2480ee2
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,55 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-1 {
+      id-1 = moon.strongswan.org
+      secret = 0x45a30759df97dc26a15b88ff
+   }
+   ike-2 {
+      id-2 = sun.strongswan.org
+      secret = "This is a strong password"
+   }
+   ike-3 {
+      id-3a = moon.strongswan.org
+      id-3b =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+   ike-4 {
+      secret = 'My "home" is my "castle"!'
+   }
+   ike-5 {
+     id-5 = 192.168.0.1
+     secret = "Andi's home"
+   }
+}
\ No newline at end of file
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b6fc72b7a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = psk
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = psk
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      mobike = no
+      reauth_time = 10800
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+   ike-1 {
+      id-moon = moon.strongswan.org
+      id-sun =sun.strongswan.org
+      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+   }
+}
diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat
new file mode 100755
index 000000000..755f0e5f8
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat
new file mode 100755
index 000000000..e82d539fb
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/swanctl/net2net-psk/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat
index a62fda968..c4106c678 100755
--- a/testing/tests/swanctl/rw-cert-pss/evaltest.dat
+++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES
+dave ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES
+moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES
+moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt
index 6af7a39ae..f190c0752 100755
--- a/testing/tests/swanctl/rw-cert/description.txt
+++ b/testing/tests/swanctl/rw-cert/description.txt
@@ -1,5 +1,6 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<p/>
 Upon the successful establishment of the IPsec tunnels, the updown script
 automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
new file mode 100644
index 000000000..c39829dd5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
@@ -0,0 +1,11 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
+uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
new file mode 100644
index 000000000..a655543f9
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1582b2b01
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4aabbaba1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+         eap_id = carol
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = "Ar3etTnp01qlpOgb"
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1582b2b01
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d68d1f474
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-aka
+         eap_id = %any
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = "Ar3etTnp01qlpOgb"
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf
index 4a5fc470f..97b89cb61 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
new file mode 100644
index 000000000..0138e35f5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
new file mode 100644
index 000000000..0d4f74197
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..4d4fc3583
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
index ff58c7c9a..e3d6e50c0 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,33 @@ connections {
 
    home {
       local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = eap
-         aaa_id = aaa.strongswan.org
          id = carol@strongswan.org
       }
       remote {
-         auth = pubkey 
-         id = moon.strongswan.org 
+         auth = pubkey
+         id = moon.strongswan.org
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-carol {
       id = carol@strongswan.org
-      secret = "Ar3etTnp"
+      secret = "Ar3etTnp01qlpOgb"
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d4fc3583
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..609309f05
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-aka
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp01qlpOgb"
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
index c3f38054b..97b89cb61 100644
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol dave winnetou"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-m-c.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -18,4 +18,8 @@ TCPDUMPHOSTS="moon"
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
new file mode 100644
index 000000000..42db2e199
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+In addition to her IKEv2 identity<b>carol@strongswan.org</b>, roadwarrior
+<b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
new file mode 100644
index 000000000..3080ec15a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d2cc789b3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..590a2b7cf
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+         eap_id = carol
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = Ar3etTnp
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fa363c345
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..9a59fc15e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         eap_id = %any
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
new file mode 100644
index 000000000..84ba602c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
index 2069e4aa5..0d9e9f3d4 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/test.conf
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
@@ -5,20 +5,20 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=
+TCPDUMPHOSTS="moon"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="carol dave"
+IPSECHOSTS="moon carol"
 
 # Guest instances on which FreeRadius is started
 #
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt
new file mode 100644
index 000000000..f0f241dc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
\ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
new file mode 100644
index 000000000..09a78be83
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
index ff58c7c9a..158c26b72 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,33 @@ connections {
 
    home {
       local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = eap
-         aaa_id = aaa.strongswan.org
          id = carol@strongswan.org
       }
       remote {
-         auth = pubkey 
-         id = moon.strongswan.org 
+         auth = pubkey
+         id = moon.strongswan.org
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-carol {
       id = carol@strongswan.org
-      secret = "Ar3etTnp"
+      secret = Ar3etTnp
    }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
index 28b32b74c..ad6d62896 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -1,27 +1,27 @@
 connections {
 
-   rw {
+   rw-eap {
       local_addrs  = 192.168.0.1
 
       local {
-         auth = pubkey 
-         id = moon.strongswan.org
+         auth = pubkey
          certs = moonCert.pem
+         id = moon.strongswan.org
       }
       remote {
          auth = eap-radius
          id = *@strongswan.org
       }
       children {
-         rw {
-            local_ts = 10.1.0.0/16
+         net {
+            local_ts  = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
new file mode 100644
index 000000000..84ba602c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt
new file mode 100644
index 000000000..08fd89b65
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
new file mode 100644
index 000000000..c0026af4f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..158c26b72
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..13816d778
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-md5
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = W7R0g3do
+   }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt
new file mode 100644
index 000000000..95afc08b5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
new file mode 100644
index 000000000..a1c2d4e88
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol
+moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d9210aeb5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
index 1516ad726..1b5c5d99f 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -6,8 +6,7 @@ connections {
 
       local {
          auth = eap
-         aaa_id = aaa.strongswan.org
-         id = carol@strongswan.org
+         eap_id = carol
       }
       remote {
          auth = pubkey 
@@ -18,18 +17,18 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-ecp256
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
-      proposals = aes128-sha256-ecp256
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
-      id = carol@strongswan.org
-      secret = "Ar3etTnp"
+   eap-carol {
+      id = carol
+      secret = Ar3etTnp
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d9210aeb5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d7c1f68ce
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-mschapv2
+         eap_id = %any
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = Ar3etTnp
+   }
+   eap-dave {
+      id = dave
+      secret = W7R0g3do
+   }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/swanctl/rw-eap-peap-md5/description.txt
index d5f0b267a..7f9ade88a 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
+++ b/testing/tests/swanctl/rw-eap-peap-md5/description.txt
@@ -1,10 +1,10 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
 authentication) with the gateway being authenticated by a server certificate during the
-EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
-authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-PEAP).
 <p/>
-With the setting <b>charon.plugins.eap-ttls.phase2_piggyback = yes</b> the server <b>moon</b>
-initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request
+With the setting <b>charon.plugins.eap-peap.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request
 right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
 and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
new file mode 100644
index 000000000..20ec1561e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..733ab2afb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
index 0f266dd93..db82791b8 100644..100755
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
-         auth = eap-ttls
+         auth = eap
          id = carol@strongswan.org
       }
       remote {
-         auth = eap-ttls
-         id = moon.strongswan.org 
+         auth = eap-peap
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-carol {
       id = carol@strongswan.org
-      secret = "Ar3etTnp"
+      secret = Ar3etTnp
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..733ab2afb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
index 989ab88c7..7f3b8104b 100644..100755
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.200
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
-         auth = eap-ttls
+         auth = eap
          id = dave@strongswan.org
       }
       remote {
-         auth = eap-ttls
-         id = moon.strongswan.org 
+         auth = eap-peap
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-dave {
       id = dave@strongswan.org
-      secret = "W7R0g3do"
+      secret = UgaM65Va
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4b5445999
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+  plugins {
+    eap-peap {
+      phase2_method = md5
+      phase2_piggyback = yes
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb3bfd28
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-peap
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-peap
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = W7R0g3do
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
index 199873ba1..199873ba1 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
index 79340af29..9ae476e64 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
@@ -1,19 +1,12 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
 moon::systemctl start strongswan-swanctl
 carol::systemctl start strongswan-swanctl
 dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
+moon::expect-connection rw-eap
 carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/swanctl/rw-eap-peap-md5/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt
new file mode 100644
index 000000000..ef2d24f2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MSCHAPv2</b> (phase2 of EAP-PEAP).
+<p/>
+Client <b>carol</b> presents the correct MSCHAPv2 password and succeeds whereas client
+<b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
new file mode 100644
index 000000000..dc56ba850
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..6f227cc3a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..db82791b8
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-peap
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..6f227cc3a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
index 5af2098b6..7f3b8104b 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.200
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = eap
-         aaa_id = aaa.strongswan.org
          id = dave@strongswan.org
       }
       remote {
-         auth = pubkey 
-         id = moon.strongswan.org 
+         auth = eap-peap
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      send_certreq = no
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-dave {
       id = dave@strongswan.org
-      secret = "W7R0g3do"
+      secret = UgaM65Va
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3b498d93b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+  plugins {
+    eap-peap {
+      phase2_method = mschapv2
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb3bfd28
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-peap
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-peap
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = W7R0g3do
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
index 199873ba1..199873ba1 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
index 79340af29..9ae476e64 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
@@ -1,19 +1,12 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
 moon::systemctl start strongswan-swanctl
 carol::systemctl start strongswan-swanctl
 dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
+moon::expect-connection rw-eap
 carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt
new file mode 100644
index 000000000..004068226
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-PEAP</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
new file mode 100644
index 000000000..291e249da
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..0ae8befe4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+  md5 {
+  }
+  default_eap_type = peap
+
+  tls-config tls-common {
+    private_key_file = ${certdir}/aaaKey.pem
+    certificate_file = ${certdir}/aaaCert.pem
+    ca_file = ${cadir}/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = ${certdir}/dh
+    random_file = ${certdir}/random
+  }
+
+  peap {
+    tls = tls-common
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+  filter_username
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    update outer.session-state {
+      &Module-Failure-Message := &request:Module-Failure-Message
+    }
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..11d3e2acd 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,7 +1,7 @@
 eap {
   md5 {
   }
-  default_eap_type = ttls
+  default_eap_type = peap
   tls {
     private_key_file = /etc/raddb/certs/aaaKey.pem
     certificate_file = /etc/raddb/certs/aaaCert.pem
@@ -10,16 +10,9 @@ eap {
     dh_file = /etc/raddb/certs/dh
     random_file = /etc/raddb/certs/random
   }
-  ttls {
+  peap {
     default_eap_type = md5
     use_tunneled_reply = yes
     virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
   }
 }
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..cb7743f82
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7ffdd1f4c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+     }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..cb7743f82
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
index 07b35dcb9..97c0b7057 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.200
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = eap
-         aaa_id = aaa.strongswan.org
          id = dave@strongswan.org
+         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
       }
       remote {
-         auth = pubkey 
-         id = moon.strongswan.org 
+         auth = pubkey
+         id = moon.strongswan.org
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-ecp256
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
-      proposals = aes128-sha256-ecp256
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-dave {
       id = dave@strongswan.org
-      secret = "W7R0g3do"
+      secret = UgaM65Va
    }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ad6d62896
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
index 0d96563c1..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
@@ -1,8 +1,7 @@
 carol::systemctl stop strongswan-swanctl
 dave::systemctl stop strongswan-swanctl
 moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
new file mode 100644
index 000000000..ff5f6e164
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/swanctl/rw-eap-peap-radius/test.conf
index 8d7f51449..0e5512b65 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt
new file mode 100644
index 000000000..41abb363c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets. In addition to her IKEv2 identity
+<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
+identity <b>228060123456001</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
new file mode 100644
index 000000000..038a2c1e1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..1dc666992
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,53 @@
+authorize {
+  files
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+228060123456001	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
index c167ba940..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..11ae80c1e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2576209ef
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+         eap_id=228060123456001
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
 -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
 # allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
 
-# allow traffic tunnelled via IPsec
--A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
 
 COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fa363c345
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..682136230
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         eap_id = %any
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
new file mode 100644
index 000000000..5d875ee77
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt
new file mode 100644
index 000000000..26de3c982
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
+a mutual <b>EAP-only</b> authentication.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets.
+<p/>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
new file mode 100644
index 000000000..3d3359775
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..51b64a74b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,72 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  files
+  suffix
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 3e9a644eb..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,6 +1,3 @@
 carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
 carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
 carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..a73f3003c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b1ffc462
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
 -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
 # allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
 
-# allow traffic tunnelled via IPsec
--A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
 
 COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..09a2a5358
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
index 0d96563c1..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
@@ -1,8 +1,7 @@
 carol::systemctl stop strongswan-swanctl
 dave::systemctl stop strongswan-swanctl
 moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
new file mode 100644
index 000000000..66c829747
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
@@ -0,0 +1,16 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
index 8d7f51449..93f23f1d6 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-radius/description.txt
new file mode 100644
index 000000000..5cb1bacdc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets.
+<p/>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
new file mode 100644
index 000000000..476e4e1fc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  files
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..51b64a74b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,72 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  files
+  suffix
+  update reply {
+    EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+    EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+    EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+    EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+    EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+    EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+    EAP-Sim-KC1   := "%{control:EAP-Sim-KC1}"
+    EAP-Sim-KC2   := "%{control:EAP-Sim-KC2}"
+    EAP-Sim-KC3   := "%{control:EAP-Sim-KC3}"
+  }
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org	EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 3e9a644eb..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,6 +1,3 @@
 carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
 carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
 carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1433bb561
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e573c9933
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
 -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
 # allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
 
-# allow traffic tunnelled via IPsec
--A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
 
 COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e11667564
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
index ab96df0ed..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
@@ -1,9 +1,7 @@
 carol::systemctl stop strongswan-swanctl
 dave::systemctl stop strongswan-swanctl
 moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
-carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::killall freeradius
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
new file mode 100644
index 000000000..66c829747
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
@@ -0,0 +1,16 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/swanctl/rw-eap-sim-radius/test.conf
index f6db73912..93f23f1d6 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/swanctl/rw-eap-sim-radius/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -22,7 +22,7 @@ IPSECHOSTS="moon carol dave"
 
 # Guest instances on which FreeRadius is started
 #
-RADIUSHOSTS=
+RADIUSHOSTS="alice"
 
 # charon controlled by swanctl
 #
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt
new file mode 100644
index 000000000..4401e679f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
new file mode 100644
index 000000000..1e967896e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1433bb561
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..6028df452
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-sim
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/swanctl/rw-eap-tls-only/description.txt
index e25da6935..b3e0450a4 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
+++ b/testing/tests/swanctl/rw-eap-tls-only/description.txt
@@ -1,5 +1,4 @@
 The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
 (without a separate IKEv2 authentication), using TLS client and server certificates,
-respectively. Elliptic curve cryptography is used by both the IKE and TLS
-protocols.
+respectively.
diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..52dc51a62
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c25dc8398
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..cc3e77095
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap-tls
+         certs = carolCert.pem
+      }
+      remote {
+         auth = eap-tls
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c69b0d77b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
\ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..51150c77c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-tls
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-tls
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
index 1578796a1..90445d430 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
@@ -1,7 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
 moon::expect-connection rw-eap
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt
new file mode 100644
index 000000000..d635ae33e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates. The gateway forwards all EAP messages to the
+AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
new file mode 100644
index 000000000..e3b7cf39a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e8670dbb7
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,16 @@
+eap {
+  default_eap_type = tls
+
+  tls-config tls-common {
+    private_key_file = ${certdir}/aaaKey.pem
+    certificate_file = ${certdir}/aaaCert.pem
+    ca_file = ${cadir}/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = ${certdir}/dh
+    random_file = ${certdir}/random
+  }
+
+  tls {
+    tls = tls-common
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..060702784
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,55 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  eap {
+    ok = return
+  }
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..92f96ad66 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,8 +1,8 @@
 eap {
-  md5 {
-  }
-  default_eap_type = ttls
+  default_eap_type = tls
   tls {
+    certdir = /etc/raddb/certs
+    cadir = /etc/raddb/certs
     private_key_file = /etc/raddb/certs/aaaKey.pem
     certificate_file = /etc/raddb/certs/aaaCert.pem
     CA_file = /etc/raddb/certs/strongswanCert.pem
@@ -10,16 +10,4 @@ eap {
     dh_file = /etc/raddb/certs/dh
     random_file = /etc/raddb/certs/random
   }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
-  }
-}
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
 }
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..18ebf9e9d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,41 @@
+authorize {
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..585019e47
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown
+
+  multiple_authentication = no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..58786ba87
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         certs = carolCert.pem
+         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+      }
+      remote {
+         auth = pubkey
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+       }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
 -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
 # allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
 
-# allow traffic tunnelled via IPsec
--A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
 
 COMMIT
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ebe5ffab7
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
new file mode 100644
index 000000000..299fccfeb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/swanctl/rw-eap-tls-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/swanctl/rw-eap-ttls-only/description.txt
new file mode 100644
index 000000000..19c00531e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
+<b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
+sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
+Finished message. Client <b>carol</b> presents the correct MD5 password and succeeds
+whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
index 2285608b8..00282ab2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
@@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
 moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f39a874a4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
index 0f266dd93..184aaa5d3 100644..100755
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.100
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
-         auth = eap-ttls
+         auth = eap
          id = carol@strongswan.org
       }
       remote {
          auth = eap-ttls
-         id = moon.strongswan.org 
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-carol {
       id = carol@strongswan.org
-      secret = "Ar3etTnp"
+      secret = Ar3etTnp
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f39a874a4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
index 989ab88c7..a77bd0079 100644..100755
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.200
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
-         auth = eap-ttls
+         auth = eap
          id = dave@strongswan.org
       }
       remote {
          auth = eap-ttls
-         id = moon.strongswan.org 
+         id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-dave {
       id = dave@strongswan.org
-      secret = "W7R0g3do"
+      secret = UgaM65Va
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..860fbf3ac
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+  multiple_authentication=no
+  syslog {
+    daemon {
+      tls = 2
+    }
+  }
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5ee0c57a3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-ttls
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = W7R0g3do
+   }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
new file mode 100644
index 000000000..9ae476e64
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/swanctl/rw-eap-ttls-only/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
new file mode 100644
index 000000000..479350c2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-TTLS</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
new file mode 100644
index 000000000..df4f0d550
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7450c71c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+
+  tls-config tls-common {
+    private_key_file = ${certdir}/aaaKey.pem
+    certificate_file = ${certdir}/aaaCert.pem
+    ca_file = ${cadir}/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = ${certdir}/dh
+    random_file = ${certdir}/random
+  }
+
+  ttls {
+    tls = tls-common
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+authorize {
+  preprocess
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  exec
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    eap
+    remove_reply_message_if_eap
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+  filter_username
+  suffix
+  eap {
+    ok = return
+  }
+  files
+  expiration
+  logintime
+}
+
+authenticate {
+  eap
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+    update outer.session-state {
+      &Module-Failure-Message := &request:Module-Failure-Message
+    }
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..c91cd40fb 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -14,12 +14,5 @@ eap {
     default_eap_type = md5
     use_tunneled_reply = yes
     virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
   }
 }
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d90ccc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7ffdd1f4c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = eap
+         id = carol@strongswan.org
+         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+     }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = Ar3etTnp
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d90ccc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
index 5af2098b6..97c0b7057 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
 
    home {
       local_addrs  = 192.168.0.200
-      remote_addrs = 192.168.0.1 
+      remote_addrs = 192.168.0.1
 
       local {
          auth = eap
-         aaa_id = aaa.strongswan.org
          id = dave@strongswan.org
+         aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
       }
       remote {
-         auth = pubkey 
-         id = moon.strongswan.org 
+         auth = pubkey
+         id = moon.strongswan.org
       }
       children {
          home {
-            remote_ts = 10.1.0.0/16 
+            remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
+            esp_proposals = aes128gcm128-x25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-x25519
    }
 }
 
 secrets {
 
-   eap {
+   eap-dave {
       id = dave@strongswan.org
-      secret = "W7R0g3do"
+      secret = UgaM65Va
    }
 }
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ad6d62896
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   rw-eap {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
new file mode 100644
index 000000000..96b011090
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
new file mode 100644
index 000000000..ff5f6e164
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
index 61f2312af..0e5512b65 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -22,7 +22,8 @@ IPSECHOSTS="moon carol dave"
 
 # Guest instances on which FreeRadius is started
 #
-RADIUSHOSTS=
+RADIUSHOSTS="alice"
+
 # charon controlled by swanctl
 #
 SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt
deleted file mode 100644
index 8ce1157e9..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The Dummy IMC and IMV from the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
deleted file mode 100644
index 0b7655bdd..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index b094a3aaa..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tnc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index b094a3aaa..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tnc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index aacee2221..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
-
-  multiple_authentication = no
-
-  syslog {
-    daemon {
-      tnc = 3
-    }
-  }
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-      phase2_tnc = yes
-      phase2_tnc_method = tnc
-    }
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 1238c1a91..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-connections {
-
-   rw-allow {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = eap-ttls
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = eap-ttls
-         id = *@strongswan.org
-         groups = allow
-      }
-      children {
-         rw-allow {
-            local_ts = 10.1.0.0/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-modp3072
-   }
-
-   rw-isolate {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = eap-ttls
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = eap-ttls
-         id = *@strongswan.org
-         groups = isolate
-      }
-      children {
-         rw-isolate {
-            local_ts = 10.1.0.16/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-modp3072
-   }
-}
-
-secrets {
-
-   eap-carol {
-      id = carol@strongswan.org
-      secret = "Ar3etTnp"
-   }
-   eap-dave {
-      id = dave@strongswan.org
-      secret = "W7R0g3do"
-   }
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
deleted file mode 100644
index d8215dd3c..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
+++ /dev/null
@@ -1,40 +0,0 @@
-#FTP - File Transfer Protocol
-TCP 20 = whatever
-TCP 21 = close
-
-#SSH - Secure Shell
-TCP 22 = whatever
-
-#Telnet
-TCP 23 = close
-
-#E-Mail
-#
-#SMTP - Simple Mail Transfer Protocol
-TCP  25 = close
-TCP 587 = close
-#POP3 - Post Office Protocol version 3
-TCP 110 = close
-TCP 995 = close
-
-#DNS - Domain Name System
-UDP 53 = close
-TCP 53 = close
-
-#BOOTP/DHCP - Bootstrap Protocol /
-#Dynamic Host Configuration Protocol 
-UDP 67 = close
-#UDP 68 = open
-UDP 68 = whatever
-
-#www - World Wide Web
-#HTTP - Hypertext Transfer Protocol
-TCP  80 = close
-#HTTPS - Hypertext Transfer Protocol Secure
-TCP 443 = close
-
-#examples
-TCP 8080 = close
-TCP 5223 = whatever
-UDP 4444 = close
-UDP  631 = whatever
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
deleted file mode 100644
index 122d798b3..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
deleted file mode 100644
index 140caa98f..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy"		/usr/local/lib/libdummyimv.so
-#IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt
deleted file mode 100644
index 67b1a2a34..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The IMC and IMV communicate are using the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
-is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas
-<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
deleted file mode 100644
index b2fc61949..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
-moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "isolate"
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  load = random nonce sha1 sha2 md5 gmp pubkey x509
-  debug_level = 3 
-  assessment_result = no
-  plugins {
-    imv-test {
-      rounds = 1 
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client 
-
-IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 305a9d1e6..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imc-test {
-      command = allow
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5d17eb638..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imc-test {
-      command = none
-    }
-    imc-scanner {
-      push_info = no
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c9dd6e1f..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
-  multiple_authentication=no
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = 10.1.0.10
-      filter_id = yes
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
deleted file mode 100644
index efddc609e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ /dev/null
@@ -1,21 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
deleted file mode 100644
index d5729dd7b..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between the OS and Attestation IMC and the Attestation IMV is based on the
- <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
deleted file mode 100644
index 588ddf469..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "isolate"
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
deleted file mode 100644
index d87b5e7f9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Devices */
-
-INSERT INTO devices (                  /*  1 */
-  value, product, created
-)
-SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
-FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
-
-/* Groups Members */
-
-INSERT INTO groups_members (
-  group_id, device_id
-) VALUES (
-  10, 1
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
-  3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  16, 2, 0
-);
-
-DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index a3f4ca12c..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  load = random nonce openssl pubkey sqlite
-  debug_level = 3 
-  database = sqlite:///etc/db.d/config.db
-  policy_script = /usr/local/libexec/ipsec/imv_policy_manager
-  assessment_result = no
-}
-
-attest {
-  database = sqlite:///etc/db.d/config.db
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
deleted file mode 100644
index b5ac8c178..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client 
-
-IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
-IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index a534ac66e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
deleted file mode 100644
index 15dc93a0a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 469e81156..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-  retransmit_tries = 5
-
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
deleted file mode 100644
index 15dc93a0a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index cbaf67c89..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
-  multiple_authentication=no
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = 10.1.0.10
-      filter_id = yes
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 096eb7b5a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-connections {
-
-   rw-allow {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = pubkey 
-         id = moon.strongswan.org
-         certs = moonCert.pem
-      }
-      remote {
-         auth = eap-radius
-         id = *@strongswan.org
-         groups = allow
-      }
-      children {
-         rw-allow {
-            local_ts = 10.1.0.0/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-ecp256
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-ecp256
-   }
-
-   rw-isolate {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = pubkey 
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = eap-radius
-         id = *@strongswan.org
-         groups = isolate
-      }
-      children {
-         rw-isolate {
-            local_ts = 10.1.0.16/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-ecp256
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-ecp256
-   }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
deleted file mode 100644
index 7d0dfa385..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ /dev/null
@@ -1,28 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::echo 0 > /proc/sys/net/ipv4/ip_forward
-dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
-alice::ipsec attest --sessions
-alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt
deleted file mode 100644
index 4017c6eda..000000000
--- a/testing/tests/tnc/tnccs-11-radius/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between IMCs and IMVs is based on the  <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
deleted file mode 100644
index cbafc1303..000000000
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = ttls
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
-  }
-}
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "isolate"
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  load = random nonce sha1 sha2 md5 gmp pubkey x509
-  debug_level = 3 
-  assessment_result = no
-  plugins {
-    imv-test {
-      rounds = 1 
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client 
-
-IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 1ca6c3d10..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imc-test {
-      command = allow
-    }
-  }
-}
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 9df983c80..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
-  multiple_authentication=no
-
- syslog {
-    daemon {
-      tnc = 3
-      imc = 3
-    }
-  }
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imc-test {
-      command = isolate
-    }
-    imc-scanner {
-      push_info = no
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c9dd6e1f..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
-  multiple_authentication=no
-
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      server = 10.1.0.10
-      filter_id = yes
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 3caad0c66..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-connections {
-
-   rw-allow {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = pubkey 
-         id = moon.strongswan.org
-         certs = moonCert.pem
-      }
-      remote {
-         auth = eap-radius
-         id = *@strongswan.org
-         groups = allow
-      }
-      children {
-         rw-allow {
-            local_ts = 10.1.0.0/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-modp3072
-   }
-
-   rw-isolate {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = pubkey 
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = eap-radius
-         id = *@strongswan.org
-         groups = isolate
-      }
-      children {
-         rw-isolate {
-            local_ts = 10.1.0.16/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-modp3072
-   }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
deleted file mode 100644
index bb2ce93b3..000000000
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ /dev/null
@@ -1,22 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt
deleted file mode 100644
index 5d0155382..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The layer 2 supplicants <b>carol</b> and <b>dave</b> want to connect to a network
-via switch <b>moon</b> which delegates the IEEE 802.1X authentication to the RADIUS
-server <b>alice</b>. <b>carol</b> and <b>dave</b> set up an <b>EAP-TTLS</b> tunnel
-each via <b>moon</b> to the <a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated
-by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between IMCs and IMVs is based on the  <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by switch <b>moon</b> to the "allow" and "isolate" VLANs, respectively.
diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
deleted file mode 100644
index 2d43b3c7b..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES
-dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP
-			Filter-Id := "isolate"
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  load = random nonce sha1 sha2 md5 gmp pubkey x509
-  debug_level = 3 
-  assessment_result = no
-  plugins {
-    imv-test {
-      rounds = 1 
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client 
-
-IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 965752b5e..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  load = random nonce sha1 sha2 md5 gmp pubkey x509
-  debug_level = 3
-  plugins {
-    imc-test {
-      command = allow
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
deleted file mode 100644
index 00ef0f516..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1 +0,0 @@
-# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
deleted file mode 100644
index b4288fd53..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
deleted file mode 100644
index 92d84f570..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
+++ /dev/null
@@ -1,10 +0,0 @@
- network={
-     ssid="eap_ttls" 
-     scan_ssid=0
-     key_mgmt=IEEE8021X
-     eap=TTLS
-     identity="carol"
-     password="Ar3etTnp"
-     ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" 
-     id_str="" 
- }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index ca1f7d9a5..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  load = random nonce sha1 sha2 md5 gmp pubkey x509
-  debug_level = 3
-  plugins {
-    imc-test {
-      command = isolate
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
deleted file mode 100644
index 00ef0f516..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1 +0,0 @@
-# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
deleted file mode 100644
index b4288fd53..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
deleted file mode 100644
index 37a343df6..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
+++ /dev/null
@@ -1,10 +0,0 @@
- network={
-     ssid="eap_ttls" 
-     scan_ssid=0
-     key_mgmt=IEEE8021X
-     eap=TTLS
-     identity="dave"
-     password="W7R0g3do"
-     ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" 
-     id_str="" 
- }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
deleted file mode 100644
index c84fcbd91..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
+++ /dev/null
@@ -1,1127 +0,0 @@
-##### hostapd configuration file ##############################################
-# Empty lines and lines starting with # are ignored
-
-# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
-# management frames); ath0 for madwifi
-interface=eth0
-
-# In case of madwifi, atheros, and nl80211 driver interfaces, an additional
-# configuration parameter, bridge, may be used to notify hostapd if the
-# interface is included in a bridge. This parameter is not used with Host AP
-# driver. If the bridge parameter is not set, the drivers will automatically
-# figure out the bridge interface (assuming sysfs is enabled and mounted to
-# /sys) and this parameter may not be needed.
-#
-# For nl80211, this parameter can be used to request the AP interface to be
-# added to the bridge automatically (brctl may refuse to do this before hostapd
-# has been started to change the interface mode). If needed, the bridge
-# interface is also created.
-#bridge=br0
-
-# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd);
-# default: hostap). nl80211 is used with all Linux mac80211 drivers.
-# Use driver=none if building hostapd as a standalone RADIUS server that does
-# not control any wireless/wired driver.
-driver=wired
-
-# hostapd event logger configuration
-#
-# Two output method: syslog and stdout (only usable if not forking to
-# background).
-#
-# Module bitfield (ORed bitfield of modules that will be logged; -1 = all
-# modules):
-# bit 0 (1) = IEEE 802.11
-# bit 1 (2) = IEEE 802.1X
-# bit 2 (4) = RADIUS
-# bit 3 (8) = WPA
-# bit 4 (16) = driver interface
-# bit 5 (32) = IAPP
-# bit 6 (64) = MLME
-#
-# Levels (minimum value for logged events):
-#  0 = verbose debugging
-#  1 = debugging
-#  2 = informational messages
-#  3 = notification
-#  4 = warning
-#
-logger_syslog=-1
-logger_syslog_level=2
-logger_stdout=-1
-logger_stdout_level=0
-
-# Dump file for state information (on SIGUSR1)
-dump_file=/tmp/hostapd.dump
-
-# Interface for separate control program. If this is specified, hostapd
-# will create this directory and a UNIX domain socket for listening to requests
-# from external programs (CLI/GUI, etc.) for status information and
-# configuration. The socket file will be named based on the interface name, so
-# multiple hostapd processes/interfaces can be run at the same time if more
-# than one interface is used.
-# /var/run/hostapd is the recommended directory for sockets and by default,
-# hostapd_cli will use it when trying to connect with hostapd.
-ctrl_interface=/var/run/hostapd
-
-# Access control for the control interface can be configured by setting the
-# directory to allow only members of a group to use sockets. This way, it is
-# possible to run hostapd as root (since it needs to change network
-# configuration and open raw sockets) and still allow GUI/CLI components to be
-# run as non-root users. However, since the control interface can be used to
-# change the network configuration, this access needs to be protected in many
-# cases. By default, hostapd is configured to use gid 0 (root). If you
-# want to allow non-root users to use the contron interface, add a new group
-# and change this value to match with that group. Add users that should have
-# control interface access to this group.
-#
-# This variable can be a group name or gid.
-#ctrl_interface_group=wheel
-ctrl_interface_group=0
-
-
-##### IEEE 802.11 related configuration #######################################
-
-# SSID to be used in IEEE 802.11 management frames
-#ssid=test
-
-# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
-# Set as needed to indicate country in which device is operating.
-# This can limit available channels and transmit power.
-#country_code=US
-
-# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
-# channels and transmit power levels based on the regulatory limits. The
-# country_code setting must be configured with the correct country for
-# IEEE 802.11d functions.
-# (default: 0 = disabled)
-#ieee80211d=1
-
-# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
-# Default: IEEE 802.11b
-hw_mode=g
-
-# Channel number (IEEE 802.11)
-# (default: 0, i.e., not set)
-# Please note that some drivers do not use this value from hostapd and the
-# channel will need to be configured separately with iwconfig.
-channel=1
-
-# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
-beacon_int=100
-
-# DTIM (delivery traffic information message) period (range 1..255):
-# number of beacons between DTIMs (1 = every beacon includes DTIM element)
-# (default: 2)
-dtim_period=2
-
-# Maximum number of stations allowed in station table. New stations will be
-# rejected after the station table is full. IEEE 802.11 has a limit of 2007
-# different association IDs, so this number should not be larger than that.
-# (default: 2007)
-max_num_sta=255
-
-# RTS/CTS threshold; 2347 = disabled (default); range 0..2347
-# If this field is not included in hostapd.conf, hostapd will not control
-# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it.
-rts_threshold=2347
-
-# Fragmentation threshold; 2346 = disabled (default); range 256..2346
-# If this field is not included in hostapd.conf, hostapd will not control
-# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set
-# it.
-fragm_threshold=2346
-
-# Rate configuration
-# Default is to enable all rates supported by the hardware. This configuration
-# item allows this list be filtered so that only the listed rates will be left
-# in the list. If the list is empty, all rates are used. This list can have
-# entries that are not in the list of rates the hardware supports (such entries
-# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110.
-# If this item is present, at least one rate have to be matching with the rates
-# hardware supports.
-# default: use the most common supported rate setting for the selected
-# hw_mode (i.e., this line can be removed from configuration file in most
-# cases)
-#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
-
-# Basic rate set configuration
-# List of rates (in 100 kbps) that are included in the basic rate set.
-# If this item is not included, usually reasonable default set is used.
-#basic_rates=10 20
-#basic_rates=10 20 55 110
-#basic_rates=60 120 240
-
-# Short Preamble
-# This parameter can be used to enable optional use of short preamble for
-# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance.
-# This applies only to IEEE 802.11b-compatible networks and this should only be
-# enabled if the local hardware supports use of short preamble. If any of the
-# associated STAs do not support short preamble, use of short preamble will be
-# disabled (and enabled when such STAs disassociate) dynamically.
-# 0 = do not allow use of short preamble (default)
-# 1 = allow use of short preamble
-#preamble=1
-
-# Station MAC address -based authentication
-# Please note that this kind of access control requires a driver that uses
-# hostapd to take care of management frame processing and as such, this can be
-# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
-# 0 = accept unless in deny list
-# 1 = deny unless in accept list
-# 2 = use external RADIUS server (accept/deny lists are searched first)
-macaddr_acl=0
-
-# Accept/deny lists are read from separate files (containing list of
-# MAC addresses, one per line). Use absolute path name to make sure that the
-# files can be read on SIGHUP configuration reloads.
-#accept_mac_file=/etc/hostapd.accept
-#deny_mac_file=/etc/hostapd.deny
-
-# IEEE 802.11 specifies two authentication algorithms. hostapd can be
-# configured to allow both of these or only one. Open system authentication
-# should be used with IEEE 802.1X.
-# Bit fields of allowed authentication algorithms:
-# bit 0 = Open System Authentication
-# bit 1 = Shared Key Authentication (requires WEP)
-auth_algs=3
-
-# Send empty SSID in beacons and ignore probe request frames that do not
-# specify full SSID, i.e., require stations to know SSID.
-# default: disabled (0)
-# 1 = send empty (length=0) SSID in beacon and ignore probe request for
-#     broadcast SSID
-# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
-#     with some clients that do not support empty SSID) and ignore probe
-#     requests for broadcast SSID
-ignore_broadcast_ssid=0
-
-# TX queue parameters (EDCF / bursting)
-# tx_queue_<queue name>_<param>
-# queues: data0, data1, data2, data3, after_beacon, beacon
-#		(data0 is the highest priority queue)
-# parameters:
-#   aifs: AIFS (default 2)
-#   cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023)
-#   cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin
-#   burst: maximum length (in milliseconds with precision of up to 0.1 ms) for
-#          bursting
-#
-# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
-# These parameters are used by the access point when transmitting frames
-# to the clients.
-#
-# Low priority / AC_BK = background
-#tx_queue_data3_aifs=7
-#tx_queue_data3_cwmin=15
-#tx_queue_data3_cwmax=1023
-#tx_queue_data3_burst=0
-# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
-#
-# Normal priority / AC_BE = best effort
-#tx_queue_data2_aifs=3
-#tx_queue_data2_cwmin=15
-#tx_queue_data2_cwmax=63
-#tx_queue_data2_burst=0
-# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
-#
-# High priority / AC_VI = video
-#tx_queue_data1_aifs=1
-#tx_queue_data1_cwmin=7
-#tx_queue_data1_cwmax=15
-#tx_queue_data1_burst=3.0
-# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
-#
-# Highest priority / AC_VO = voice
-#tx_queue_data0_aifs=1
-#tx_queue_data0_cwmin=3
-#tx_queue_data0_cwmax=7
-#tx_queue_data0_burst=1.5
-# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
-
-# 802.1D Tag (= UP) to AC mappings
-# WMM specifies following mapping of data frames to different ACs. This mapping
-# can be configured using Linux QoS/tc and sch_pktpri.o module.
-# 802.1D Tag	802.1D Designation	Access Category	WMM Designation
-# 1		BK			AC_BK		Background
-# 2		-			AC_BK		Background
-# 0		BE			AC_BE		Best Effort
-# 3		EE			AC_BE		Best Effort
-# 4		CL			AC_VI		Video
-# 5		VI			AC_VI		Video
-# 6		VO			AC_VO		Voice
-# 7		NC			AC_VO		Voice
-# Data frames with no priority information: AC_BE
-# Management frames: AC_VO
-# PS-Poll frames: AC_BE
-
-# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
-# for 802.11a or 802.11g networks
-# These parameters are sent to WMM clients when they associate.
-# The parameters will be used by WMM clients for frames transmitted to the
-# access point.
-#
-# note - txop_limit is in units of 32microseconds
-# note - acm is admission control mandatory flag. 0 = admission control not
-# required, 1 = mandatory
-# note - here cwMin and cmMax are in exponent form. the actual cw value used
-# will be (2^n)-1 where n is the value given here
-#
-wmm_enabled=1
-#
-# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
-# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver)
-#uapsd_advertisement_enabled=1
-#
-# Low priority / AC_BK = background
-wmm_ac_bk_cwmin=4
-wmm_ac_bk_cwmax=10
-wmm_ac_bk_aifs=7
-wmm_ac_bk_txop_limit=0
-wmm_ac_bk_acm=0
-# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
-#
-# Normal priority / AC_BE = best effort
-wmm_ac_be_aifs=3
-wmm_ac_be_cwmin=4
-wmm_ac_be_cwmax=10
-wmm_ac_be_txop_limit=0
-wmm_ac_be_acm=0
-# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
-#
-# High priority / AC_VI = video
-wmm_ac_vi_aifs=2
-wmm_ac_vi_cwmin=3
-wmm_ac_vi_cwmax=4
-wmm_ac_vi_txop_limit=94
-wmm_ac_vi_acm=0
-# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
-#
-# Highest priority / AC_VO = voice
-wmm_ac_vo_aifs=2
-wmm_ac_vo_cwmin=2
-wmm_ac_vo_cwmax=3
-wmm_ac_vo_txop_limit=47
-wmm_ac_vo_acm=0
-# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
-
-# Static WEP key configuration
-#
-# The key number to use when transmitting.
-# It must be between 0 and 3, and the corresponding key must be set.
-# default: not set
-#wep_default_key=0
-# The WEP keys to use.
-# A key may be a quoted string or unquoted hexadecimal digits.
-# The key length should be 5, 13, or 16 characters, or 10, 26, or 32
-# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
-# 128-bit (152-bit) WEP is used.
-# Only the default key must be supplied; the others are optional.
-# default: not set
-#wep_key0=123456789a
-#wep_key1="vwxyz"
-#wep_key2=0102030405060708090a0b0c0d
-#wep_key3=".2.4.6.8.0.23"
-
-# Station inactivity limit
-#
-# If a station does not send anything in ap_max_inactivity seconds, an
-# empty data frame is sent to it in order to verify whether it is
-# still in range. If this frame is not ACKed, the station will be
-# disassociated and then deauthenticated. This feature is used to
-# clear station table of old entries when the STAs move out of the
-# range.
-#
-# The station can associate again with the AP if it is still in range;
-# this inactivity poll is just used as a nicer way of verifying
-# inactivity; i.e., client will not report broken connection because
-# disassociation frame is not sent immediately without first polling
-# the STA with a data frame.
-# default: 300 (i.e., 5 minutes)
-ap_max_inactivity=30
-
-# Disassociate stations based on excessive transmission failures or other
-# indications of connection loss. This depends on the driver capabilities and
-# may not be available with all drivers.
-#disassoc_low_ack=1
-
-# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to
-# remain asleep). Default: 65535 (no limit apart from field size)
-#max_listen_interval=100
-
-# WDS (4-address frame) mode with per-station virtual interfaces
-# (only supported with driver=nl80211)
-# This mode allows associated stations to use 4-address frames to allow layer 2
-# bridging to be used.
-#wds_sta=1
-
-# If bridge parameter is set, the WDS STA interface will be added to the same
-# bridge by default. This can be overridden with the wds_bridge parameter to
-# use a separate bridge.
-#wds_bridge=wds-br0
-
-# Client isolation can be used to prevent low-level bridging of frames between
-# associated stations in the BSS. By default, this bridging is allowed.
-#ap_isolate=1
-
-##### IEEE 802.11n related configuration ######################################
-
-# ieee80211n: Whether IEEE 802.11n (HT) is enabled
-# 0 = disabled (default)
-# 1 = enabled
-# Note: You will also need to enable WMM for full HT functionality.
-#ieee80211n=1
-
-# ht_capab: HT capabilities (list of flags)
-# LDPC coding capability: [LDPC] = supported
-# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary
-#	channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz
-#	with secondary channel below the primary channel
-#	(20 MHz only if neither is set)
-#	Note: There are limits on which channels can be used with HT40- and
-#	HT40+. Following table shows the channels that may be available for
-#	HT40- and HT40+ use per IEEE 802.11n Annex J:
-#	freq		HT40-		HT40+
-#	2.4 GHz		5-13		1-7 (1-9 in Europe/Japan)
-#	5 GHz		40,48,56,64	36,44,52,60
-#	(depending on the location, not all of these channels may be available
-#	for use)
-#	Please note that 40 MHz channels may switch their primary and secondary
-#	channels if needed or creation of 40 MHz channel maybe rejected based
-#	on overlapping BSSes. These changes are done automatically when hostapd
-#	is setting up the 40 MHz channel.
-# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC]
-#	(SMPS disabled if neither is set)
-# HT-greenfield: [GF] (disabled if not set)
-# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set)
-# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set)
-# Tx STBC: [TX-STBC] (disabled if not set)
-# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial
-#	streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC
-#	disabled if none of these set
-# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set)
-# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not
-#	set)
-# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set)
-# PSMP support: [PSMP] (disabled if not set)
-# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set)
-#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
-
-# Require stations to support HT PHY (reject association if they do not)
-#require_ht=1
-
-##### IEEE 802.1X-2004 related configuration ##################################
-
-# Require IEEE 802.1X authorization
-ieee8021x=1
-
-# IEEE 802.1X/EAPOL version
-# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
-# version 2. However, there are many client implementations that do not handle
-# the new version number correctly (they seem to drop the frames completely).
-# In order to make hostapd interoperate with these clients, the version number
-# can be set to the older version (1) with this configuration value.
-#eapol_version=2
-
-# Optional displayable message sent with EAP Request-Identity. The first \0
-# in this string will be converted to ASCII-0 (nul). This can be used to
-# separate network info (comma separated list of attribute=value pairs); see,
-# e.g., RFC 4284.
-#eap_message=hello
-#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com
-
-# WEP rekeying (disabled if key lengths are not set or are set to 0)
-# Key lengths for default/broadcast and individual/unicast keys:
-# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
-# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
-#wep_key_len_broadcast=5
-#wep_key_len_unicast=5
-# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
-#wep_rekey_period=300
-
-# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
-# only broadcast keys are used)
-eapol_key_index_workaround=0
-
-# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
-# reauthentication).
-#eap_reauth_period=3600
-
-# Use PAE group address (01:80:c2:00:00:03) instead of individual target
-# address when sending EAPOL frames with driver=wired. This is the most common
-# mechanism used in wired authentication, but it also requires that the port
-# is only used by one station.
-#use_pae_group_addr=1
-
-##### Integrated EAP server ###################################################
-
-# Optionally, hostapd can be configured to use an integrated EAP server
-# to process EAP authentication locally without need for an external RADIUS
-# server. This functionality can be used both as a local authentication server
-# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
-
-# Use integrated EAP server instead of external RADIUS authentication
-# server. This is also needed if hostapd is configured to act as a RADIUS
-# authentication server.
-eap_server=0
-
-# Path for EAP server user database
-#eap_user_file=/etc/hostapd.eap_user
-
-# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
-#ca_cert=/etc/hostapd.ca.pem
-
-# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
-#server_cert=/etc/hostapd.server.pem
-
-# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
-# This may point to the same file as server_cert if both certificate and key
-# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be
-# used by commenting out server_cert and specifying the PFX file as the
-# private_key.
-#private_key=/etc/hostapd.server.prv
-
-# Passphrase for private key
-#private_key_passwd=secret passphrase
-
-# Enable CRL verification.
-# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
-# valid CRL signed by the CA is required to be included in the ca_cert file.
-# This can be done by using PEM format for CA certificate and CRL and
-# concatenating these into one file. Whenever CRL changes, hostapd needs to be
-# restarted to take the new CRL into use.
-# 0 = do not verify CRLs (default)
-# 1 = check the CRL of the user certificate
-# 2 = check all CRLs in the certificate path
-#check_crl=1
-
-# dh_file: File path to DH/DSA parameters file (in PEM format)
-# This is an optional configuration file for setting parameters for an
-# ephemeral DH key exchange. In most cases, the default RSA authentication does
-# not use this configuration. However, it is possible setup RSA to use
-# ephemeral DH key exchange. In addition, ciphers with DSA keys always use
-# ephemeral DH keys. This can be used to achieve forward secrecy. If the file
-# is in DSA parameters format, it will be automatically converted into DH
-# params. This parameter is required if anonymous EAP-FAST is used.
-# You can generate DH parameters file with OpenSSL, e.g.,
-# "openssl dhparam -out /etc/hostapd.dh.pem 1024"
-#dh_file=/etc/hostapd.dh.pem
-
-# Fragment size for EAP methods
-#fragment_size=1400
-
-# Configuration data for EAP-SIM database/authentication gateway interface.
-# This is a text string in implementation specific format. The example
-# implementation in eap_sim_db.c uses this as the UNIX domain socket name for
-# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:"
-# prefix.
-#eap_sim_db=unix:/tmp/hlr_auc_gw.sock
-
-# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
-# random value. It is configured as a 16-octet value in hex format. It can be
-# generated, e.g., with the following command:
-# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
-#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
-
-# EAP-FAST authority identity (A-ID)
-# A-ID indicates the identity of the authority that issues PACs. The A-ID
-# should be unique across all issuing servers. In theory, this is a variable
-# length field, but due to some existing implementations requiring A-ID to be
-# 16 octets in length, it is strongly recommended to use that length for the
-# field to provid interoperability with deployed peer implementations. This
-# field is configured in hex format.
-#eap_fast_a_id=101112131415161718191a1b1c1d1e1f
-
-# EAP-FAST authority identifier information (A-ID-Info)
-# This is a user-friendly name for the A-ID. For example, the enterprise name
-# and server name in a human-readable format. This field is encoded as UTF-8.
-#eap_fast_a_id_info=test server
-
-# Enable/disable different EAP-FAST provisioning modes:
-#0 = provisioning disabled
-#1 = only anonymous provisioning allowed
-#2 = only authenticated provisioning allowed
-#3 = both provisioning modes allowed (default)
-#eap_fast_prov=3
-
-# EAP-FAST PAC-Key lifetime in seconds (hard limit)
-#pac_key_lifetime=604800
-
-# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
-# limit). The server will generate a new PAC-Key when this number of seconds
-# (or fewer) of the lifetime remains.
-#pac_key_refresh_time=86400
-
-# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
-# (default: 0 = disabled).
-#eap_sim_aka_result_ind=1
-
-# Trusted Network Connect (TNC)
-# If enabled, TNC validation will be required before the peer is allowed to
-# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
-# EAP method is enabled, the peer will be allowed to connect without TNC.
-#tnc=1
-
-
-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
-
-# Interface to be used for IAPP broadcast packets
-#iapp_interface=eth0
-
-
-##### RADIUS client configuration #############################################
-# for IEEE 802.1X with external Authentication Server, IEEE 802.11
-# authentication with external ACL for MAC addresses, and accounting
-
-# The own IP address of the access point (used as NAS-IP-Address)
-own_ip_addr=10.1.0.1
-
-# Optional NAS-Identifier string for RADIUS messages. When used, this should be
-# a unique to the NAS within the scope of the RADIUS server. For example, a
-# fully qualified domain name can be used here.
-# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and
-# 48 octets long.
-#nas_identifier=ap.example.com
-
-# RADIUS authentication server
-auth_server_addr=10.1.0.10
-#auth_server_port=1812
-auth_server_shared_secret=gv6URkSs
-
-# RADIUS accounting server
-#acct_server_addr=127.0.0.1
-#acct_server_port=1813
-#acct_server_shared_secret=secret
-
-# Secondary RADIUS servers; to be used if primary one does not reply to
-# RADIUS packets. These are optional and there can be more than one secondary
-# server listed.
-#auth_server_addr=127.0.0.2
-#auth_server_port=1812
-#auth_server_shared_secret=secret2
-#
-#acct_server_addr=127.0.0.2
-#acct_server_port=1813
-#acct_server_shared_secret=secret2
-
-# Retry interval for trying to return to the primary RADIUS server (in
-# seconds). RADIUS client code will automatically try to use the next server
-# when the current server is not replying to requests. If this interval is set,
-# primary server will be retried after configured amount of time even if the
-# currently used secondary server is still working.
-#radius_retry_primary_interval=600
-
-
-# Interim accounting update interval
-# If this is set (larger than 0) and acct_server is configured, hostapd will
-# send interim accounting updates every N seconds. Note: if set, this overrides
-# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
-# value should not be configured in hostapd.conf, if RADIUS server is used to
-# control the interim interval.
-# This value should not be less 600 (10 minutes) and must not be less than
-# 60 (1 minute).
-#radius_acct_interim_interval=600
-
-# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
-# is used for the stations. This information is parsed from following RADIUS
-# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
-# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
-# VLANID as a string). vlan_file option below must be configured if dynamic
-# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be
-# used to set static client MAC address to VLAN ID mapping.
-# 0 = disabled (default)
-# 1 = option; use default interface if RADIUS server does not include VLAN ID
-# 2 = required; reject authentication if RADIUS server does not include VLAN ID
-#dynamic_vlan=0
-
-# VLAN interface list for dynamic VLAN mode is read from a separate text file.
-# This list is used to map VLAN ID from the RADIUS server to a network
-# interface. Each station is bound to one interface in the same way as with
-# multiple BSSIDs or SSIDs. Each line in this text file is defining a new
-# interface and the line must include VLAN ID and interface name separated by
-# white space (space or tab).
-#vlan_file=/etc/hostapd.vlan
-
-# Interface where 802.1q tagged packets should appear when a RADIUS server is
-# used to determine which VLAN a station is on.  hostapd creates a bridge for
-# each VLAN.  Then hostapd adds a VLAN interface (associated with the interface
-# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
-# to the bridge.
-#vlan_tagged_interface=eth0
-
-
-##### RADIUS authentication server configuration ##############################
-
-# hostapd can be used as a RADIUS authentication server for other hosts. This
-# requires that the integrated EAP server is also enabled and both
-# authentication services are sharing the same configuration.
-
-# File name of the RADIUS clients configuration for the RADIUS server. If this
-# commented out, RADIUS server is disabled.
-#radius_server_clients=/etc/hostapd.radius_clients
-
-# The UDP port number for the RADIUS authentication server
-#radius_server_auth_port=1812
-
-# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
-#radius_server_ipv6=1
-
-
-##### WPA/IEEE 802.11i configuration ##########################################
-
-# Enable WPA. Setting this variable configures the AP to require WPA (either
-# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
-# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
-# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
-# RADIUS authentication server must be configured, and WPA-EAP must be included
-# in wpa_key_mgmt.
-# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
-# and/or WPA2 (full IEEE 802.11i/RSN):
-# bit0 = WPA
-# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
-#wpa=1
-
-# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
-# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
-# (8..63 characters) that will be converted to PSK. This conversion uses SSID
-# so the PSK changes when ASCII passphrase is used and the SSID is changed.
-# wpa_psk (dot11RSNAConfigPSKValue)
-# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
-#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
-#wpa_passphrase=secret passphrase
-
-# Optionally, WPA PSKs can be read from a separate text file (containing list
-# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
-# Use absolute path name to make sure that the files can be read on SIGHUP
-# configuration reloads.
-#wpa_psk_file=/etc/hostapd.wpa_psk
-
-# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
-# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
-# added to enable SHA256-based stronger algorithms.
-# (dot11RSNAConfigAuthenticationSuitesTable)
-#wpa_key_mgmt=WPA-PSK WPA-EAP
-
-# Set of accepted cipher suites (encryption algorithms) for pairwise keys
-# (unicast packets). This is a space separated list of algorithms:
-# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
-# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
-# Group cipher suite (encryption algorithm for broadcast and multicast frames)
-# is automatically selected based on this configuration. If only CCMP is
-# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
-# TKIP will be used as the group cipher.
-# (dot11RSNAConfigPairwiseCiphersTable)
-# Pairwise cipher for WPA (v1) (default: TKIP)
-#wpa_pairwise=TKIP CCMP
-# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
-#rsn_pairwise=CCMP
-
-# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
-# seconds. (dot11RSNAConfigGroupRekeyTime)
-#wpa_group_rekey=600
-
-# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
-# (dot11RSNAConfigGroupRekeyStrict)
-#wpa_strict_rekey=1
-
-# Time interval for rekeying GMK (master key used internally to generate GTKs
-# (in seconds).
-#wpa_gmk_rekey=86400
-
-# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
-# PTK to mitigate some attacks against TKIP deficiencies.
-#wpa_ptk_rekey=600
-
-# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
-# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
-# authentication and key handshake before actually associating with a new AP.
-# (dot11RSNAPreauthenticationEnabled)
-#rsn_preauth=1
-#
-# Space separated list of interfaces from which pre-authentication frames are
-# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
-# interface that are used for connections to other APs. This could include
-# wired interfaces and WDS links. The normal wireless data interface towards
-# associated stations (e.g., wlan0) should not be added, since
-# pre-authentication is only used with APs other than the currently associated
-# one.
-#rsn_preauth_interfaces=eth0
-
-# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
-# allowed. This is only used with RSN/WPA2.
-# 0 = disabled (default)
-# 1 = enabled
-#peerkey=1
-
-# ieee80211w: Whether management frame protection (MFP) is enabled
-# 0 = disabled (default)
-# 1 = optional
-# 2 = required
-#ieee80211w=0
-
-# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
-# (maximum time to wait for a SA Query response)
-# dot11AssociationSAQueryMaximumTimeout, 1...4294967295
-#assoc_sa_query_max_timeout=1000
-
-# Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
-# (time between two subsequent SA Query requests)
-# dot11AssociationSAQueryRetryTimeout, 1...4294967295
-#assoc_sa_query_retry_timeout=201
-
-# disable_pmksa_caching: Disable PMKSA caching
-# This parameter can be used to disable caching of PMKSA created through EAP
-# authentication. RSN preauthentication may still end up using PMKSA caching if
-# it is enabled (rsn_preauth=1).
-# 0 = PMKSA caching enabled (default)
-# 1 = PMKSA caching disabled
-#disable_pmksa_caching=0
-
-# okc: Opportunistic Key Caching (aka Proactive Key Caching)
-# Allow PMK cache to be shared opportunistically among configured interfaces
-# and BSSes (i.e., all configurations within a single hostapd process).
-# 0 = disabled (default)
-# 1 = enabled
-#okc=1
-
-
-##### IEEE 802.11r configuration ##############################################
-
-# Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
-# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the
-# same SSID) between which a STA can use Fast BSS Transition.
-# 2-octet identifier as a hex string.
-#mobility_domain=a1b2
-
-# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID)
-# 1 to 48 octet identifier.
-# This is configured with nas_identifier (see RADIUS client section above).
-
-# Default lifetime of the PMK-RO in minutes; range 1..65535
-# (dot11FTR0KeyLifetime)
-#r0_key_lifetime=10000
-
-# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
-# 6-octet identifier as a hex string.
-#r1_key_holder=000102030405
-
-# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
-# (dot11FTReassociationDeadline)
-#reassociation_deadline=1000
-
-# List of R0KHs in the same Mobility Domain
-# format: <MAC address> <NAS Identifier> <128-bit key as hex string>
-# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC
-# address when requesting PMK-R1 key from the R0KH that the STA used during the
-# Initial Mobility Domain Association.
-#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f
-#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff
-# And so on.. One line per R0KH.
-
-# List of R1KHs in the same Mobility Domain
-# format: <MAC address> <R1KH-ID> <128-bit key as hex string>
-# This list is used to map R1KH-ID to a destination MAC address when sending
-# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD
-# that can request PMK-R1 keys.
-#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f
-#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff
-# And so on.. One line per R1KH.
-
-# Whether PMK-R1 push is enabled at R0KH
-# 0 = do not push PMK-R1 to all configured R1KHs (default)
-# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived
-#pmk_r1_push=1
-
-##### Neighbor table ##########################################################
-# Maximum number of entries kept in AP table (either for neigbor table or for
-# detecting Overlapping Legacy BSS Condition). The oldest entry will be
-# removed when adding a new entry that would make the list grow over this
-# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is
-# enabled, so this field should not be set to 0 when using IEEE 802.11g.
-# default: 255
-#ap_table_max_size=255
-
-# Number of seconds of no frames received after which entries may be deleted
-# from the AP table. Since passive scanning is not usually performed frequently
-# this should not be set to very small value. In addition, there is no
-# guarantee that every scan cycle will receive beacon frames from the
-# neighboring APs.
-# default: 60
-#ap_table_expiration_time=3600
-
-
-##### Wi-Fi Protected Setup (WPS) #############################################
-
-# WPS state
-# 0 = WPS disabled (default)
-# 1 = WPS enabled, not configured
-# 2 = WPS enabled, configured
-#wps_state=2
-
-# AP can be configured into a locked state where new WPS Registrar are not
-# accepted, but previously authorized Registrars (including the internal one)
-# can continue to add new Enrollees.
-#ap_setup_locked=1
-
-# Universally Unique IDentifier (UUID; see RFC 4122) of the device
-# This value is used as the UUID for the internal WPS Registrar. If the AP
-# is also using UPnP, this value should be set to the device's UPnP UUID.
-# If not configured, UUID will be generated based on the local MAC address.
-#uuid=12345678-9abc-def0-1234-56789abcdef0
-
-# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
-# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the
-# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of
-# per-device PSKs is recommended as the more secure option (i.e., make sure to
-# set wpa_psk_file when using WPS with WPA-PSK).
-
-# When an Enrollee requests access to the network with PIN method, the Enrollee
-# PIN will need to be entered for the Registrar. PIN request notifications are
-# sent to hostapd ctrl_iface monitor. In addition, they can be written to a
-# text file that could be used, e.g., to populate the AP administration UI with
-# pending PIN requests. If the following variable is set, the PIN requests will
-# be written to the configured file.
-#wps_pin_requests=/var/run/hostapd_wps_pin_requests
-
-# Device Name
-# User-friendly description of device; up to 32 octets encoded in UTF-8
-#device_name=Wireless AP
-
-# Manufacturer
-# The manufacturer of the device (up to 64 ASCII characters)
-#manufacturer=Company
-
-# Model Name
-# Model of the device (up to 32 ASCII characters)
-#model_name=WAP
-
-# Model Number
-# Additional device description (up to 32 ASCII characters)
-#model_number=123
-
-# Serial Number
-# Serial number of the device (up to 32 characters)
-#serial_number=12345
-
-# Primary Device Type
-# Used format: <categ>-<OUI>-<subcateg>
-# categ = Category as an integer value
-# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
-#       default WPS OUI
-# subcateg = OUI-specific Sub Category as an integer value
-# Examples:
-#   1-0050F204-1 (Computer / PC)
-#   1-0050F204-2 (Computer / Server)
-#   5-0050F204-1 (Storage / NAS)
-#   6-0050F204-1 (Network Infrastructure / AP)
-#device_type=6-0050F204-1
-
-# OS Version
-# 4-octet operating system version number (hex string)
-#os_version=01020300
-
-# Config Methods
-# List of the supported configuration methods
-# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
-#	nfc_interface push_button keypad virtual_display physical_display
-#	virtual_push_button physical_push_button
-#config_methods=label virtual_display virtual_push_button keypad
-
-# WPS capability discovery workaround for PBC with Windows 7
-# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting
-# as a Registrar and using M1 from the AP. The config methods attribute in that
-# message is supposed to indicate only the configuration method supported by
-# the AP in Enrollee role, i.e., to add an external Registrar. For that case,
-# PBC shall not be used and as such, the PushButton config method is removed
-# from M1 by default. If pbc_in_m1=1 is included in the configuration file,
-# the PushButton config method is left in M1 (if included in config_methods
-# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label
-# in the AP).
-#pbc_in_m1=1
-
-# Static access point PIN for initial configuration and adding Registrars
-# If not set, hostapd will not allow external WPS Registrars to control the
-# access point. The AP PIN can also be set at runtime with hostapd_cli
-# wps_ap_pin command. Use of temporary (enabled by user action) and random
-# AP PIN is much more secure than configuring a static AP PIN here. As such,
-# use of the ap_pin parameter is not recommended if the AP device has means for
-# displaying a random PIN.
-#ap_pin=12345670
-
-# Skip building of automatic WPS credential
-# This can be used to allow the automatically generated Credential attribute to
-# be replaced with pre-configured Credential(s).
-#skip_cred_build=1
-
-# Additional Credential attribute(s)
-# This option can be used to add pre-configured Credential attributes into M8
-# message when acting as a Registrar. If skip_cred_build=1, this data will also
-# be able to override the Credential attribute that would have otherwise been
-# automatically generated based on network configuration. This configuration
-# option points to an external file that much contain the WPS Credential
-# attribute(s) as binary data.
-#extra_cred=hostapd.cred
-
-# Credential processing
-#   0 = process received credentials internally (default)
-#   1 = do not process received credentials; just pass them over ctrl_iface to
-#	external program(s)
-#   2 = process received credentials internally and pass them over ctrl_iface
-#	to external program(s)
-# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and
-# extra_cred be used to provide the Credential data for Enrollees.
-#
-# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file
-# both for Credential processing and for marking AP Setup Locked based on
-# validation failures of AP PIN. An external program is responsible on updating
-# the configuration appropriately in this case.
-#wps_cred_processing=0
-
-# AP Settings Attributes for M7
-# By default, hostapd generates the AP Settings Attributes for M7 based on the
-# current configuration. It is possible to override this by providing a file
-# with pre-configured attributes. This is similar to extra_cred file format,
-# but the AP Settings attributes are not encapsulated in a Credential
-# attribute.
-#ap_settings=hostapd.ap_settings
-
-# WPS UPnP interface
-# If set, support for external Registrars is enabled.
-#upnp_iface=br0
-
-# Friendly Name (required for UPnP)
-# Short description for end use. Should be less than 64 characters.
-#friendly_name=WPS Access Point
-
-# Manufacturer URL (optional for UPnP)
-#manufacturer_url=http://www.example.com/
-
-# Model Description (recommended for UPnP)
-# Long description for end user. Should be less than 128 characters.
-#model_description=Wireless Access Point
-
-# Model URL (optional for UPnP)
-#model_url=http://www.example.com/model/
-
-# Universal Product Code (optional for UPnP)
-# 12-digit, all-numeric code that identifies the consumer package.
-#upc=123456789012
-
-##### Wi-Fi Direct (P2P) ######################################################
-
-# Enable P2P Device management
-#manage_p2p=1
-
-# Allow cross connection
-#allow_cross_connection=1
-
-#### TDLS (IEEE 802.11z-2010) #################################################
-
-# Prohibit use of TDLS in this BSS
-#tdls_prohibit=1
-
-# Prohibit use of TDLS Channel Switching in this BSS
-#tdls_prohibit_chan_switch=1
-
-##### IEEE 802.11v-2011 #######################################################
-
-# Time advertisement
-# 0 = disabled (default)
-# 2 = UTC time at which the TSF timer is 0
-#time_advertisement=2
-
-# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004:
-# stdoffset[dst[offset][,start[/time],end[/time]]]
-#time_zone=EST5
-
-##### IEEE 802.11u-2011 #######################################################
-
-# Enable Interworking service
-#interworking=1
-
-# Access Network Type
-# 0 = Private network
-# 1 = Private network with guest access
-# 2 = Chargeable public network
-# 3 = Free public network
-# 4 = Personal device network
-# 5 = Emergency services only network
-# 14 = Test or experimental
-# 15 = Wildcard
-#access_network_type=0
-
-# Whether the network provides connectivity to the Internet
-# 0 = Unspecified
-# 1 = Network provides connectivity to the Internet
-#internet=1
-
-# Additional Step Required for Access
-# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if
-# RSN is used.
-#asra=0
-
-# Emergency services reachable
-#esr=0
-
-# Unauthenticated emergency service accessible
-#uesa=0
-
-# Venue Info (optional)
-# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34.
-# Example values (group,type):
-# 0,0 = Unspecified
-# 1,7 = Convention Center
-# 1,13 = Coffee Shop
-# 2,0 = Unspecified Business
-# 7,1  Private Residence
-#venue_group=7
-#venue_type=1
-
-# Homogeneous ESS identifier (optional; dot11HESSID)
-# If set, this shall be identifical to one of the BSSIDs in the homogeneous
-# ESS and this shall be set to the same value across all BSSs in homogeneous
-# ESS.
-#hessid=02:03:04:05:06:07
-
-# Roaming Consortium List
-# Arbitrary number of Roaming Consortium OIs can be configured with each line
-# adding a new OI to the list. The first three entries are available through
-# Beacon and Probe Response frames. Any additional entry will be available only
-# through ANQP queries. Each OI is between 3 and 15 octets and is configured a
-# a hexstring.
-#roaming_consortium=021122
-#roaming_consortium=2233445566
-
-##### Multiple BSSID support ##################################################
-#
-# Above configuration is using the default interface (wlan#, or multi-SSID VLAN
-# interfaces). Other BSSIDs can be added by using separator 'bss' with
-# default interface name to be allocated for the data packets of the new BSS.
-#
-# hostapd will generate BSSID mask based on the BSSIDs that are
-# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is
-# not the case, the MAC address of the radio must be changed before starting
-# hostapd (ifconfig wlan0 hw ether <MAC addr>). If a BSSID is configured for
-# every secondary BSS, this limitation is not applied at hostapd and other
-# masks may be used if the driver supports them (e.g., swap the locally
-# administered bit)
-#
-# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is
-# specified using the 'bssid' parameter.
-# If an explicit BSSID is specified, it must be chosen such that it:
-# - results in a valid MASK that covers it and the dev_addr
-# - is not the same as the MAC address of the radio
-# - is not the same as any other explicitly specified BSSID
-#
-# Please note that hostapd uses some of the values configured for the first BSS
-# as the defaults for the following BSSes. However, it is recommended that all
-# BSSes include explicit configuration of all relevant configuration items.
-#
-#bss=wlan0_0
-#ssid=test2
-# most of the above items can be used here (apart from radio interface specific
-# items, like channel)
-
-#bss=wlan0_1
-#bssid=00:13:10:95:fe:0b
-# ...
diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
deleted file mode 100644
index b55e0457c..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::killall wpa_supplicant
-dave::killall wpa_supplicant
-moon::killall hostapd
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
deleted file mode 100644
index 4dbff64a3..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-moon::hostapd -B /etc/hostapd/hostapd.conf
-carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-carol::sleep 4
-dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-dave::sleep 4
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql
new file mode 100644
index 000000000..548c101e4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql
@@ -0,0 +1,39 @@
+/* SW Identifiers */
+
+INSERT INTO sw_identifiers (
+  name, package, version, source, installed
+) VALUES (
+	'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libutempter0-1.1.5', 'libutempter0', '1.1.5', 1, 0
+);
+
+INSERT INTO sw_identifiers (
+  name, package, version, source, installed
+) VALUES (
+  'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libevent-2.0-5-2.0.20', 'libevent-2.0-5', '2.0.20', 1, 0
+);
+
+INSERT INTO sw_identifiers (
+  name, package, version, source, installed
+) VALUES (
+  'strongswan.org__Debian_DEBIAN_VERSION-x86_64-tmux-2.2', 'tmux', '2.2', 1, 0
+);
+
+/* SW Events */
+
+INSERT INTO sw_events (
+  eid, sw_id, action
+) VALUES (
+  2, 1, 2
+);
+
+INSERT INTO sw_events (
+  eid, sw_id, action
+) VALUES (
+  2, 2, 2
+);
+
+INSERT INTO sw_events (
+  eid, sw_id, action
+) VALUES (
+  2, 3, 2
+);
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
index c0049d7fd..5d0602c15 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
@@ -1,6 +1,7 @@
 carol::ip route del 10.1.0.0/16 via 192.168.0.1
 dave::ip route del 10.1.0.0/16 via 192.168.0.1
 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+carol::rm /etc/pts/collector.sql
 alice::systemctl stop strongswan-swanctl
 alice::systemctl stop apache2
 alice::rm /etc/swanctl/rsa/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt
deleted file mode 100644
index 8bf1543d2..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>. The Dummy IMC and IMV from the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-</p>
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
deleted file mode 100644
index bf0732604..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index aa4934fb1..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
-  multiple_authentication = no
-
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
deleted file mode 100644
index 3ef780933..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"	/usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 8fc1c8729..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
-  multiple_authentication = no
-  syslog {
-    daemon {
-      tnc = 3
-      imc = 2
-    }
-  }
-}
-
-libtls {
-  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
deleted file mode 100644
index 8eee8068a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"     /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          charon 
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: strongSwan charon IKE daemon 
-# Description:       with swanctl the strongSwan charon daemon must be
-#                    running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4732fbd4b..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
-
-  multiple_authentication = no
-
-  syslog {
-    daemon {
-      tnc = 3
-      imv = 2
-    }
-  }
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-      phase2_tnc = yes
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 1238c1a91..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-connections {
-
-   rw-allow {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = eap-ttls
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = eap-ttls
-         id = *@strongswan.org
-         groups = allow
-      }
-      children {
-         rw-allow {
-            local_ts = 10.1.0.0/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-modp3072
-   }
-
-   rw-isolate {
-      local_addrs  = 192.168.0.1
-
-      local {
-         auth = eap-ttls
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = eap-ttls
-         id = *@strongswan.org
-         groups = isolate
-      }
-      children {
-         rw-isolate {
-            local_ts = 10.1.0.16/28
-
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm16-modp3072
-         }
-      }
-      version = 2
-      send_certreq = no
-      proposals = aes128-sha256-modp3072
-   }
-}
-
-secrets {
-
-   eap-carol {
-      id = carol@strongswan.org
-      secret = "Ar3etTnp"
-   }
-   eap-dave {
-      id = dave@strongswan.org
-      secret = "W7R0g3do"
-   }
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
deleted file mode 100644
index d8215dd3c..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
+++ /dev/null
@@ -1,40 +0,0 @@
-#FTP - File Transfer Protocol
-TCP 20 = whatever
-TCP 21 = close
-
-#SSH - Secure Shell
-TCP 22 = whatever
-
-#Telnet
-TCP 23 = close
-
-#E-Mail
-#
-#SMTP - Simple Mail Transfer Protocol
-TCP  25 = close
-TCP 587 = close
-#POP3 - Post Office Protocol version 3
-TCP 110 = close
-TCP 995 = close
-
-#DNS - Domain Name System
-UDP 53 = close
-TCP 53 = close
-
-#BOOTP/DHCP - Bootstrap Protocol /
-#Dynamic Host Configuration Protocol 
-UDP 67 = close
-#UDP 68 = open
-UDP 68 = whatever
-
-#www - World Wide Web
-#HTTP - Hypertext Transfer Protocol
-TCP  80 = close
-#HTTPS - Hypertext Transfer Protocol Secure
-TCP 443 = close
-
-#examples
-TCP 8080 = close
-TCP 5223 = whatever
-UDP 4444 = close
-UDP  631 = whatever
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
deleted file mode 100644
index 122d798b3..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
deleted file mode 100644
index fa4324e38..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy"	/usr/local/lib/libdummyimv.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
index 4075f75bd..cd5056e83 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc
 
     <Directory /var/www/tnc/config>
         <Files wsgi.py>
-            <IfModule mod_authz_core.c>
-               Require all granted
-            </IfModule>
-            <IfModule !mod_authz_core.c>
-                Order deny,allow
-                Allow from all
-            </IfModule>
+            Require all granted
         </Files>
     </Directory>
 
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 1dc8b5688..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1 +0,0 @@
-Include sites-available/000-default.conf
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
index 4075f75bd..cd5056e83 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc
 
     <Directory /var/www/tnc/config>
         <Files wsgi.py>
-            <IfModule mod_authz_core.c>
-               Require all granted
-            </IfModule>
-            <IfModule !mod_authz_core.c>
-                Order deny,allow
-                Allow from all
-            </IfModule>
+            Require all granted
         </Files>
     </Directory>
 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 1dc8b5688..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1 +0,0 @@
-Include sites-available/000-default.conf
\ No newline at end of file