summaryrefslogtreecommitdiff
path: root/testing/tests/ikev2
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/ikev2')
-rw-r--r--testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem27
-rw-r--r--testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem27
-rw-r--r--testing/tests/ikev2/double-nat-net/evaltest.dat4
-rw-r--r--testing/tests/ikev2/double-nat/evaltest.dat4
-rw-r--r--testing/tests/ikev2/forecast/description.txt8
-rw-r--r--testing/tests/ikev2/forecast/evaltest.dat20
-rw-r--r--testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf16
-rw-r--r--testing/tests/ikev2/forecast/posttest.dat6
-rw-r--r--testing/tests/ikev2/forecast/pretest.dat7
-rw-r--r--testing/tests/ikev2/forecast/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/description.txt8
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/evaltest.dat7
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf18
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/posttest.dat5
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/pretest.dat11
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/description.txt3
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/evaltest.dat13
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/pretest.dat1
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat8
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem36
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem50
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem36
-rw-r--r--testing/tests/ikev2/nat-rw-mark/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown300
-rw-r--r--testing/tests/ikev2/nat-rw-psk/evaltest.dat6
-rw-r--r--testing/tests/ikev2/nat-rw/evaltest.dat8
-rwxr-xr-xtesting/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown94
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/description.txt7
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/evaltest.dat9
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/posttest.dat5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/pretest.dat6
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/test.conf21
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-fragmentation/evaltest.dat4
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem36
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem50
-rwxr-xr-xtesting/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown48
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt8
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat7
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat4
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat6
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf21
-rw-r--r--testing/tests/ikev2/reauth-mbb/description.txt7
-rw-r--r--testing/tests/ikev2/reauth-mbb/evaltest.dat7
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-mbb/posttest.dat4
-rw-r--r--testing/tests/ikev2/reauth-mbb/pretest.dat6
-rw-r--r--testing/tests/ikev2/reauth-mbb/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-dynamic/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown296
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/description.txt15
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/evaltest.dat26
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.derbin0 -> 2172 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.derbin0 -> 1182 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.derbin0 -> 2173 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.derbin0 -> 1310 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.derbin0 -> 2190 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.derbin0 -> 1310 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/posttest.dat9
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/pretest.dat13
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/test.conf21
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-sig-auth/description.txt10
-rw-r--r--testing/tests/ikev2/rw-sig-auth/evaltest.dat20
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf30
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-sig-auth/pretest.dat12
-rw-r--r--testing/tests/ikev2/rw-sig-auth/test.conf26
-rw-r--r--testing/tests/ikev2/rw-whitelist/evaltest.dat4
133 files changed, 1417 insertions, 717 deletions
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt
new file mode 100644
index 000000000..db67b9c3d
--- /dev/null
+++ b/testing/tests/ikev2/forecast/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to
+gateway <b>moon</b> and request a <b>virtual IP</b>. <b>moon</b> negotiates
+broadcast and multicast traffic selectors with the clients, and uses
+<i>%unique</i> marks to avoid any policy conflicts. The enabled <i>forecast</i>
+plugin on <b>moon</b> installs the required Netfilter rules to make use of these
+policies, and additionally starts forwarding broadcast and multicast packets
+between the clients.<br/>
+To test forwarding, the hosts send multicast and broadcast ping messages.
diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat
new file mode 100644
index 000000000..6babe57f0
--- /dev/null
+++ b/testing/tests/ikev2/forecast/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES
+alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null
+carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null
+dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null
+carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+moon::iptables -t mangle -L -n -v
+carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..4cd628384
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftsubnet=0.0.0.0/0
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=0.0.0.0/0
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..e2255d96b
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftsubnet=0.0.0.0/0
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=0.0.0.0/0
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..fde2e9103
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16,224.0.0.0/4
+ right=%any
+ rightid=*@strongswan.org
+ rightsourceip=10.1.0.128/26
+ rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255
+ mark=%unique
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..986ef32de
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast
+ syslog {
+ daemon {
+ net = 2
+ }
+ }
+ plugins {
+ forecast {
+ interface = eth1
+ reinject = rw
+ }
+ }
+}
diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/forecast/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat
new file mode 100644
index 000000000..206bf5b64
--- /dev/null
+++ b/testing/tests/ikev2/forecast/pretest.dat
@@ -0,0 +1,7 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf
new file mode 100644
index 000000000..13b3927ae
--- /dev/null
+++ b/testing/tests/ikev2/forecast/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt
new file mode 100644
index 000000000..6660279c9
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt
@@ -0,0 +1,8 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b>
+and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind
+the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b>
+connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on
+the CHILD_SAs to select the correct return path SA using connection tracking.
+This allows <b>sun</b> to talk to both nodes for client initiated flows, even
+if the SAs are actually both over <b>moon</b>.<br/>
+To test the connection, both hosts establish an SSH connection to <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
new file mode 100644
index 000000000..04a35c10c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
@@ -0,0 +1,7 @@
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
+venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
+sun::iptables -t mangle -L -n -v
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..9000ebcfe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn nat-t
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ right=192.168.0.2
+ rightid=@sun.strongswan.org
+ type=transport
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..220059c43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ left=192.168.0.2
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+
+conn nat-t
+ right=%any
+ type=transport
+ mark=%unique
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1311e5b27
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark
+}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..cea239abe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn nat-t
+ leftcert=venusCert.pem
+ leftid=venus@strongswan.org
+ right=192.168.0.2
+ rightid=@sun.strongswan.org
+ type=transport
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
new file mode 100644
index 000000000..144be6c90
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+venus::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
new file mode 100644
index 000000000..ab6408427
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf
new file mode 100644
index 000000000..8c2facefd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun alice venus moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
index 6f18a88cd..fc7186c53 100644
--- a/testing/tests/ikev2/host2host-transport-nat/description.txt
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host
dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
in <em>/proc/net/xfrm_stat</em>).</li>
<li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
-<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
+<b>sun</b>. Due to the conflicting IPsec policies <b>sun</b> will use the newer SA from
+<b>venus</b> to send traffic to the common transport mode address.</li>
</ol>
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
index faa9fb265..0ec50bc92 100644
--- a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -1,12 +1,9 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
-venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES
-sun::cat /var/log/daemon.log::unable to install policy::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
index fe0f17d3d..2d2607078 100644
--- a/testing/tests/ikev2/host2host-transport-nat/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -10,3 +10,4 @@ sun::ipsec start
alice::expect-connection nat-t
venus::expect-connection nat-t
alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 65a003d23..8457ae0dd 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
-dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 48727ed9d..ce60672bc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+MIIEpAIBAAKCAQEAzQWx53y0ZC78YfVe8fzaErOamr6a/BedS52KSH6aYDLwQ46X
+XkpwTzjj2pD5X1ISkr1yHrBEr0CNRyTpRn7bMC/QOQdZU57B+ubKqYKoI+u4K4d/
+OlNzvWXHBYVI/A8Ok1KP6nuKSrFg8FF/yxt5ozsf6zhr1/Fsb2VOyVV14VOIPE6S
+FdyUU0PpRfNs96qEunQH0beMYeqci7jGG7ulLV+QJdIiQ76bFq/WWyiNn/A4ZK9L
+GRUR5exrOY0zdUWtRBdIwoyM6OgJJGPiEwbLL1bzBaXjf429GYby3ERVOepby5Jq
+4/yJylLJPajZvNPv8BQVMyeTexns15gSD8F3ZQIDAQABAoIBABliJR6V7/efYZv3
+NyQavB0oo3GZO7MOcWkVPjOviQl0BQ84LkF8Ud9dGcjLvjQxAx+r2N83z6krAtLW
+HROfTR/wK4WEBWk29KlNvbWy+YJJAupQwk3EW0YNvdBPKjQa4SEYTb0oQnzw7SGT
+1ZCd/DdbcJ48xA1eVKCOGG0Q6aFV702mUszjZfrnyqr+zxx8ZE+YhKSXB0eGjv2+
++kiJMf25ZpgP5Pu5AAX0/KRN9E5orbr5pdFTBgOIJ6Sdsnr/q/tJaU/bPVJEtFvd
+BqSVtz87ftTdZVH5zMBkXPVwlWczQiK5J6igrMBcrHhnKUmt54kh9bEUmt2ZrBOx
+xmEV/wECgYEA+a+LjA3lZgk5Qy4qKvXe4EHvRSK513ZxN8gBvj4wA7JmEGv76gMw
+5o1DbpNOqumeyjrtsqVzjAu3GpowX4dfHRal9CZ57dtedjWlHPnnDtSMKzmJXiJb
+HzYPngpjxfAjrZNIBlQZeAhtYCQUDM/SSitcnP1gp3DEdVyxFNafmuECgYEA0jUA
+F0hSddYBo4tG84gnHQ6L0ftqn3K0UD9EcFAG2Zxv7dqSGdmCq6wo/q1UeKDVLjCX
+OteuqzDG+ka6DmbcLwj9VRMQP9lqUbtGOzwyWxYdcMUZnMtWHpuvcsyHLrAKqTxJ
+0Be7hlXCbSrh62CBpAgv91NMghZup3Tpku8qkQUCgYEAyWNp7uEWciJmaWVG5bfC
+uKb10pGby8ngr9lGbqfCGnk+EWjHm4xPWOX/yaRPA1PDm+HD7x+7/u1EFtTex25s
+rQ2jdTXDirIxkq7aKnD2iOOu2v5haefUD2yPVC2VJAX5APuWUGRs1oAVmEIBWgQV
+3XT0EjvcRbGTBAZrXh9uRIECgYEAzBclZXWUilAj+zOoyZ4xy6Zp3pAqL3Fg3GDx
+A9LPM80NZ3RFUc+7bQ6UJuEHGK+fC1+mFT1/mzqaljjBQGZh9VDXFhiSOEvRTFV1
+lOGXSpSoNOtJONC7ZrBloiIuRggp8bJVQDMqoPz27qMqAiwK8sX4PDumFs/M081R
+UpXfUDkCgYAOa/VoXgDlFMun1qEu6LFZcLhA6SyHRT0yT9WSYkHjcQusvJAZEM67
+lfUd1J57tG6+HS7z0wBkO72HG0YZDD8dhgzsYGChUHD+yq+OZ2FHnZWRSnnHq4zD
+ZBjS8PGcVu/4Ojx6B8GI41UgmdqH+US+AA6nYceb74NeIigXjtXUdA==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
index bb8e856cc..c5390fbb6 100644
--- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 421335ffb..e0c15f56a 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
- if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- parms2="via $PLUTO_NEXT_HOP"
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
- if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- echo "$0: doroute \`$it' failed ($oops)" >&2
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
# is there an inbound mark to be set?
@@ -313,82 +212,18 @@ if [ -n "$PLUTO_MARK_IN" ]
then
if [ -n "$PLUTO_UDP_ENC" ]
then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+ SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
else
- SET_MARK="-p esp"
+ SET_MARK="-p $PLUTO_PROTO"
fi
SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
fi
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -430,6 +273,13 @@ down-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -472,6 +322,15 @@ up-client:)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -518,6 +377,13 @@ down-client:)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
index 6ec29c779..86fc1975e 100644
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -1,6 +1,6 @@
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..1afd70df8 100755
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,8 +13,6 @@
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -32,15 +30,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -54,25 +57,21 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -80,31 +79,38 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
#
# define a minimum PATH environment in case it is not set
@@ -129,22 +135,22 @@ up-client:)
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+ echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt
new file mode 100644
index 000000000..c659b4c47
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> using SHA-2 to create signatures
+as enabled by the IKEv2 Signature Authentication extension described in <b>RFC 7427</b>.
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
new file mode 100644
index 000000000..65737ba1f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5af6d2bbc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftauth=rsa-sha384
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..3c3d1e51d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftauth=rsa-sha512
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
new file mode 100644
index 000000000..81a98fa41
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-cert-sha2/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -3,4 +3,5 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
+ signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -3,4 +3,5 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
+ signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
index 7f227fd62..c7437c8bb 100644
--- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES
sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1804 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1596 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
sun::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index bdba3fb05..e9ab41c7f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -186,7 +169,6 @@ fi
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
up-client:)
# connection to my client subnet coming up
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
new file mode 100644
index 000000000..dfec6a3b6
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
@@ -0,0 +1,8 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option for
+clients using an assigned virtual IP. The initiator <b>carol</b> reauthenticates
+the IKE_SA with host <b>moon</b> using <b>ikelifetime=10s</b>, but does not
+close the old IKE_SA before the replacement CHILD_SA using the same virtual IP
+is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6447b1cca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keylife=20m
+ ikelifetime=10s
+ rekeymargin=5s
+ rekeyfuzz=0%
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftsourceip=%config
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+ make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..121ea7eab
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=30m
+ keylife=20m
+ rekeymargin=0s
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/24
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt
new file mode 100644
index 000000000..ab92d7df8
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/description.txt
@@ -0,0 +1,7 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f46405a47
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keylife=20m
+ ikelifetime=10s
+ rekeymargin=5s
+ rekeyfuzz=0%
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+ make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2f4557447
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=30m
+ keylife=20m
+ rekeymargin=0s
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index d59eef513..20f1f132c 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 0ea4e21ab..77e306bf9 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
index 6a20b8e8c..e09765fb6 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
index 1460ec8f9..10ce861b1 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswa
moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
index aa6d4291b..47a4977a2 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongsw
moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index 42d2c319e..5853deb26 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -1,6 +1,6 @@
carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 8f813395a..109407b96 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 881971e80..87c37f3a3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index a8019b3e7..49045c9ef 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index 84f41fd93..88ab87d29 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index 010f48315..892fdd6ef 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 95c29b7f5..d3d97dc38 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index f1a68bc19..0dfc89e07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 21cfe429a..a514f48b7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index ab27b4510..f33e7bc36 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index 7584e14dc..75349b031 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index a471a2cfa..f250c0cb3 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 421335ffb..b8b45e3b0 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
- if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- parms2="via $PLUTO_NEXT_HOP"
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
- if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- echo "$0: doroute \`$it' failed ($oops)" >&2
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
# is there an inbound mark to be set?
@@ -320,75 +219,11 @@ then
SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
fi
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -430,6 +273,13 @@ down-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -472,6 +322,15 @@ up-client:)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -518,6 +377,13 @@ down-client:)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt
new file mode 100644
index 000000000..b81fdb7cf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
new file mode 100644
index 000000000..5a88b6641
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f13e47a71
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128!
+ esp=aes128-sha256!
+ authby=pubkey
+ fragmentation=yes
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.der
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
new file mode 100644
index 000000000..491e245dd
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
new file mode 100644
index 000000000..b2831a8ed
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..c2225646d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..5f605a43d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha384-ntru192!
+ esp=aes192-sha384!
+ authby=pubkey
+ fragmentation=yes
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.der
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
new file mode 100644
index 000000000..83a213710
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
new file mode 100644
index 000000000..0ec528ddf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..fe2643204
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2a9b33aae
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
+ esp=aes128-sha256,aes192-sha384!
+ authby=pubkey
+ fragmentation=yes
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.der
+ leftauth=bliss-sha512
+ leftid=moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/28
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..1ab7d21f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 000000000..c989f91e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b4a9ee68d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
new file mode 100644
index 000000000..9ba8c5f55
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
new file mode 100644
index 000000000..24249435e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index ab398a3bb..55b295781 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pr
moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index ccbc769e2..b192f788f 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 438e1c14c..6ebb7c356 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt
new file mode 100644
index 000000000..569d7e054
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. They authenticate themselves using <b>RSA signatures</b> but
+they use different hash algorithms. <b>moon</b> uses signature scheme constraints
+to only allow access to the <b>research</b> and <b>accounting</b> subnets if
+specific algorithms are used. <b>Note:</b> Because the client certificate's are signed
+with SHA-256 we have to accept that algorithm too because signature schemes in
+<b>rightauth</b> are also used as constraints for the whole certificate chain.
+Therefore, <b>carol</b> obtains access to the <b>research</b> subnet behind gateway
+<b>moon</b> whereas <b>dave</b> has access to the <b>accounting</b> subnet, but not
+vice-versa.
diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
new file mode 100644
index 000000000..261475f56
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..b1aa2d99a
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn alice
+ rightsubnet=10.1.0.10/32
+ also=home
+ auto=add
+
+conn venus
+ rightsubnet=10.1.0.20/32
+ also=home
+ auto=add
+
+conn home
+ left=%any
+ leftcert=carolCert.pem
+ leftauth=pubkey-sha384
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..eef3e2622
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn alice
+ rightsubnet=10.1.0.10/32
+ also=home
+ auto=add
+
+conn venus
+ rightsubnet=10.1.0.20/32
+ also=home
+ auto=add
+
+conn home
+ left=%any
+ leftcert=daveCert.pem
+ leftauth=pubkey-sha512
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9f9051eeb
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn research
+ rightauth=pubkey-sha384-sha256
+ leftsubnet=10.1.0.0/28
+ also=rw
+ auto=add
+
+conn accounting
+ rightauth=pubkey-sha512-sha256
+ leftsubnet=10.1.0.16/28
+ also=rw
+ auto=add
+
+conn rw
+ left=PH_IP_MOON
+ leftid=@moon.strongswan.org
+ leftcert=moonCert.pem
+ leftauth=pubkey
+ leftfirewall=yes
+ right=%any
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat
new file mode 100644
index 000000000..bec31cc68
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf
new file mode 100644
index 000000000..b9e97e43b
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=""
+
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 9418d6ee1..3522c3d79 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES