summaryrefslogtreecommitdiff
path: root/testing/tests/ikev2
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/ikev2')
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/description.txt4
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/evaltest.dat9
-rwxr-xr-xtesting/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/posttest.dat (renamed from testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/pretest.dat (renamed from testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/test.conf (renamed from testing/tests/ikev2/esp-alg-aesxcbc/test.conf)0
-rw-r--r--testing/tests/ikev2/compress/description.txt3
-rw-r--r--testing/tests/ikev2/compress/evaltest.dat10
-rwxr-xr-x[-rw-r--r--]testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf)18
-rw-r--r--testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/compress/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/compress/posttest.dat2
-rw-r--r--testing/tests/ikev2/compress/pretest.dat5
-rw-r--r--testing/tests/ikev2/compress/test.conf (renamed from testing/tests/ikev2/nat-pf/test.conf)7
-rw-r--r--testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-from-cache/evaltest.dat14
-rw-r--r--testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-ldap/evaltest.dat16
-rw-r--r--testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-revoked/evaltest.dat5
-rw-r--r--testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-to-cache/evaltest.dat4
-rw-r--r--testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/default-keys/pretest.dat2
-rw-r--r--testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/description.txt4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat (renamed from testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat)4
-rwxr-xr-xtesting/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat6
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/test.conf21
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/description.txt4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat5
-rwxr-xr-xtesting/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat6
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/test.conf21
-rw-r--r--testing/tests/ikev2/esp-alg-aesxcbc/description.txt4
-rw-r--r--testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-transport/evaltest.dat2
-rw-r--r--testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ip-pool-db/description.txt10
-rw-r--r--testing/tests/ikev2/ip-pool-db/evaltest.dat26
-rwxr-xr-xtesting/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf10
-rw-r--r--testing/tests/ikev2/ip-pool-db/posttest.dat8
-rw-r--r--testing/tests/ikev2/ip-pool-db/pretest.dat13
-rw-r--r--testing/tests/ikev2/ip-pool-db/test.conf21
-rw-r--r--testing/tests/ikev2/ip-pool-wish/description.txt11
-rw-r--r--testing/tests/ikev2/ip-pool-wish/evaltest.dat23
-rwxr-xr-xtesting/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ip-pool-wish/posttest.dat6
-rw-r--r--testing/tests/ikev2/ip-pool-wish/pretest.dat10
-rw-r--r--testing/tests/ikev2/ip-pool-wish/test.conf21
-rw-r--r--testing/tests/ikev2/ip-pool/description.txt10
-rw-r--r--testing/tests/ikev2/ip-pool/evaltest.dat23
-rwxr-xr-xtesting/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ip-pool/posttest.dat6
-rw-r--r--testing/tests/ikev2/ip-pool/pretest.dat10
-rw-r--r--testing/tests/ikev2/ip-pool/test.conf21
-rw-r--r--testing/tests/ikev2/mobike-nat/evaltest.dat6
-rwxr-xr-xtesting/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/mobike-nat/test.conf2
-rw-r--r--testing/tests/ikev2/mobike-virtual-ip/evaltest.dat6
-rwxr-xr-xtesting/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/mobike-virtual-ip/test.conf2
-rw-r--r--testing/tests/ikev2/mobike/evaltest.dat6
-rw-r--r--testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/mobike/test.conf2
-rw-r--r--testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat15
-rw-r--r--testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat2
-rw-r--r--testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca/evaltest.dat8
-rw-r--r--testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-double-snat/description.txt6
-rw-r--r--testing/tests/ikev2/nat-double-snat/evaltest.dat5
-rw-r--r--testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf16
-rw-r--r--testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem25
-rw-r--r--testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem25
-rw-r--r--testing/tests/ikev2/nat-double-snat/posttest.dat8
-rw-r--r--testing/tests/ikev2/nat-double-snat/pretest.dat11
-rw-r--r--testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-pf/description.txt4
-rw-r--r--testing/tests/ikev2/nat-pf/evaltest.dat5
-rw-r--r--testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem25
-rw-r--r--testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem25
-rw-r--r--testing/tests/ikev2/nat-pf/posttest.dat5
-rw-r--r--testing/tests/ikev2/nat-pf/pretest.dat7
-rw-r--r--testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-local-cert/evaltest.dat12
-rw-r--r--testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-multi-level/evaltest.dat6
-rw-r--r--testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat7
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat1
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat1
-rw-r--r--testing/tests/ikev2/ocsp-revoked/evaltest.dat7
-rw-r--r--testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-root-cert/evaltest.dat12
-rw-r--r--testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-signer-cert/description.txt2
-rw-r--r--testing/tests/ikev2/ocsp-signer-cert/evaltest.dat17
-rwxr-xr-xtesting/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf5
-rw-r--r--testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat5
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat16
-rwxr-xr-xtesting/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf3
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat5
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat8
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat1
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat1
-rw-r--r--testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/description.txt7
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat10
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat7
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/test.conf (renamed from testing/tests/ikev2/nat-double-snat/test.conf)6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/description.txt10
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/evaltest.dat14
-rwxr-xr-xtesting/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf28
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf28
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf27
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/pretest.dat9
-rw-r--r--testing/tests/ikev2/rw-hash-and-url/test.conf21
-rw-r--r--testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat2
-rwxr-xr-xtesting/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/two-certs/evaltest.dat7
-rw-r--r--testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf5
294 files changed, 1853 insertions, 317 deletions
diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt
new file mode 100644
index 000000000..24a4afe57
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
new file mode 100644
index 000000000..853746cd4
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
+moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES
+moon::ip xfrm state::auth xcbc(aes)::YES
+carol::ip xfrm state::auth xcbc(aes)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 25f8ce8b2..edd0aaaf8 100755
--- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256-sha256-modp2048!
+ ike=aes256-aesxcbc-modp2048!
esp=aes256-aesxcbc-modp2048!
conn home
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 303a49152..18618929f 100755
--- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256-sha256-modp2048!
+ ike=aes256-aesxcbc-modp2048!
esp=aes256-aesxcbc-modp2048!
conn rw
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
diff --git a/testing/tests/ikev2/compress/description.txt b/testing/tests/ikev2/compress/description.txt
new file mode 100644
index 000000000..47829839d
--- /dev/null
+++ b/testing/tests/ikev2/compress/description.txt
@@ -0,0 +1,3 @@
+This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
+the established tunnel with compression.
diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat
new file mode 100644
index 000000000..279033f2b
--- /dev/null
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -0,0 +1,10 @@
+moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUPP)::YES
+moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUPP)::YES
+carol::ipsec status::home.*INSTALLED::YES
+moon::ipsec status::rw.*INSTALLED::YES
+moon::ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
index 52345af7c..670a50c00 100644..100755
--- a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
@@ -1,17 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
-version 2.0 # conforms to second version of ipsec.conf specification
-
config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
plutostart=no
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ compress=yes
+
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
right=PH_IP_MOON
- rightcert=aliceCert.pem
- rightid=alice@strongswan.org
- rightsubnet=10.1.0.0/24
- keyexchange=ikev2
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
auto=add
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..91abfd4da
--- /dev/null
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ compress=yes
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ rightid=carol@strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/compress/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/nat-pf/test.conf b/testing/tests/ikev2/compress/test.conf
index 21bece8e6..fd33cfb57 100644
--- a/testing/tests/ikev2/nat-pf/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou"
+UMLHOSTS="moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="m-c-w.png"
# UML instances on which tcpdump is to be started
#
@@ -18,4 +18,5 @@ TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="alice carol"
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
index 8458724c6..222673704 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
keyexchange=ikev2
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
- rightsourceip=PH_IP_MOON1
rightcert=moonCert.pem
rightid=@moon.strongswan.org
rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
index bafd1b155..bb558fe25 100755
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
keyexchange=ikev2
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat
index 9aa53fb64..f15196024 100644
--- a/testing/tests/ikev2/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat
@@ -1,8 +1,10 @@
-moon::cat /var/log/daemon.log::loading crl file::YES
-carol::cat /var/log/daemon.log::loading crl file::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/auth.log::written crl file::NO
-carol::cat /var/log/auth.log::written crl file::NO
+moon::cat /var/log/daemon.log::loaded crl file::YES
+moon::cat /var/log/daemon.log::crl is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec listcrls:: ok::YES
+carol::cat /var/log/daemon.log::loaded crl file::YES
+carol::cat /var/log/daemon.log::crl is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
carol::ipsec listcrls:: ok::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat
index 05e818e21..d98df8c7c 100644
--- a/testing/tests/ikev2/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -1,12 +1,12 @@
-moon::cat /var/log/daemon.log::loading crl file::YES
-carol::cat /var/log/daemon.log::loading crl file::YES
+moon::cat /var/log/daemon.log::loaded crl file::YES
moon::cat /var/log/daemon.log::crl is stale::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES
+moon::cat /var/log/daemon.log::crl is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::loaded crl file::YES
carol::cat /var/log/daemon.log::crl is stale::YES
-moon::cat /var/log/daemon.log::sending ldap request::YES
-carol::cat /var/log/daemon.log::sending ldap request::YES
+carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES
+carol::cat /var/log/daemon.log::crl is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl file::YES
-carol::cat /var/log/daemon.log::written crl file::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1949d3abc
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1949d3abc
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
index 3d6cf72bb..2242746db 100644
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,6 +1,5 @@
moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::end entity certificate is not trusted::YES
-carol::cat /var/log/daemon.log::AUTHENTICATION_FAILED::YES
-moon::ipsec listcrls:: ok::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat
index 14edd946f..00489436e 100644
--- a/testing/tests/ikev2/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -1,4 +1,4 @@
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index fe68be4b5..88f9a2ca9 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -10,7 +10,7 @@ moon::rm /etc/ipsec.d/private/*
moon::rm /etc/ipsec.d/certs/*
moon::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
-moon::sleep 3
+moon::sleep 5
moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
moon::ipsec reload
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
new file mode 100644
index 000000000..cb08a9312
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CCM_12-128</b> by defining <b>esp=aes128gcm12-modp2048</b> or alternatively
+<b>esp=aes128gcm96-modp2048</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
index 19b0b4378..dc5032133 100644
--- a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
@@ -1,5 +1,5 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES
+moon::ipsec statusall::AES_CCM_12-128::YES
+carol::ipsec statusall::AES_CCM_12-128::YES
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..85c825002
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-aesxcbc-modp2048!
+ esp=aes128ccm96-modp2048!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..8f8404516
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-aesxcbc-modp2048!
+ esp=aes128ccm12-modp2048!
+
+conn rw
+ left=PH_IP_MOON
+ leftfirewall=yes
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
new file mode 100644
index 000000000..721f3c64b
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_GCM_16-256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
+<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
new file mode 100644
index 000000000..8f007b900
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::AES_GCM_16-256::YES
+carol::ipsec statusall::AES_GCM_16-256::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..df2b7437d
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes256-aesxcbc-modp2048!
+ esp=aes256gcm128-modp2048!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..661681105
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes256-aesxcbc-modp2048!
+ esp=aes256gcm16-modp2048!
+
+conn rw
+ left=PH_IP_MOON
+ leftfirewall=yes
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt b/testing/tests/ikev2/esp-alg-aesxcbc/description.txt
deleted file mode 100644
index 0ea28a716..000000000
--- a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
-the established tunnel.
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat
index 2dd58c9d7..b3cade48c 100644
--- a/testing/tests/ikev2/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::received USE_TRANSPORT_MODE notify::YES
+moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
moon::ip xfrm state::mode transport::YES
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt
new file mode 100644
index 000000000..5cc500c98
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
+addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
+<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
+virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
new file mode 100644
index 000000000..07d17b338
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*INSTALLED::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES
+moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b3413830f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=%bigpool
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5a35561ba
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ plugins {
+ sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+}
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
new file mode 100644
index 000000000..5d26cbbbc
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::ipsec pool --del bigpool
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
new file mode 100644
index 000000000..78ba3f581
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -0,0 +1,13 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool-wish/description.txt b/testing/tests/ikev2/ip-pool-wish/description.txt
new file mode 100644
index 000000000..a5487169a
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request the same <b>virtual IP</b> via the IKEv2
+configuration payload by using the <b>leftsourceip=PH_IP_DAVE1</b> parameter. On a first-come,
+first-served basis, <b>dave</b> gets <b>PH_IP_DAVE1</b> from the simple address pool managed
+by gateway <b>moon</b> and <b>carol</b> gets the first free address <b>PH_IP_CAROL1</b>
+from the pool.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
new file mode 100644
index 000000000..19e6783af
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
@@ -0,0 +1,23 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*INSTALLED::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5f93b3987
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=PH_IP_DAVE1
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..b58ba5460
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=PH_IP_DAVE1
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0b4cded6c
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/28
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
new file mode 100644
index 000000000..519c81a31
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+dave::ipsec start
+carol::ipsec start
+moon::ipsec start
+dave::sleep 2
+dave::ipsec up home
+carol::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool-wish/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool/description.txt b/testing/tests/ikev2/ip-pool/description.txt
new file mode 100644
index 000000000..fc3f8c63a
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat
new file mode 100644
index 000000000..15ca7426f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -0,0 +1,23 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*INSTALLED::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0b4cded6c
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/28
+ auto=add
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat
new file mode 100644
index 000000000..014e80517
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/ip-pool/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
index 541b218d0..f2758eb35 100644
--- a/testing/tests/ikev2/mobike-nat/evaltest.dat
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -10,7 +10,9 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP::YES
+sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
+sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
+moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES
+moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES
bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::YES
bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
index e9abfdac8..5c93d1462 100755
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn %default
conn mobike
left=PH_IP_ALICE1
- leftsourceip=10.3.0.3
+ leftsourceip=%config
leftcert=aliceCert.pem
leftid=alice@strongswan.org
leftfirewall=yes
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
index 6944749be..d6121511e 100755
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
@@ -19,6 +19,6 @@ conn mobike
leftfirewall=yes
leftsubnet=10.2.0.0/16
right=%any
- rightsourceip=%config
+ rightsourceip=10.3.0.3
rightid=alice@strongswan.org
auto=add
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
index 6467631e5..24a0cf3a4 100644
--- a/testing/tests/ikev2/mobike-nat/test.conf
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png"
# UML instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="bob moon"
+TCPDUMPHOSTS="bob moon sun"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
index 5be507d2e..94dea0b14 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -10,7 +10,9 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES
-moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES
+sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
+sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
+moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES
+moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP.*seq=0x2::YES
bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::YES
bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
index e9abfdac8..5c93d1462 100755
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn %default
conn mobike
left=PH_IP_ALICE1
- leftsourceip=10.3.0.3
+ leftsourceip=%config
leftcert=aliceCert.pem
leftid=alice@strongswan.org
leftfirewall=yes
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
index 64a659f4f..18a67cde0 100755
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -19,6 +19,6 @@ conn mobike
leftfirewall=yes
leftsubnet=10.2.0.0/16
right=PH_IP_ALICE1
- rightsourceip=%config
+ rightsourceip=10.3.0.3
rightid=alice@strongswan.org
auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
index 6467631e5..24a0cf3a4 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/test.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png"
# UML instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="bob moon"
+TCPDUMPHOSTS="bob moon sun"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
index 10bb37e42..6c49c0425 100644
--- a/testing/tests/ikev2/mobike/evaltest.dat
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -10,8 +10,10 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES
-moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES
+sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
+sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
+moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES
+moon::tcpdump::sun.strongswan.org.*alice.strongswan.org: ESP.*seq=0x2::YES
bob::tcpdump::alice1.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
bob::tcpdump::bob.strongswan.org.*alice1.strongswan.org.*ICMP echo reply::YES
bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
index 6467631e5..24a0cf3a4 100644
--- a/testing/tests/ikev2/mobike/test.conf
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png"
# UML instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="bob moon"
+TCPDUMPHOSTS="bob moon sun"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index 00cafc130..ca0bdba44 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -1,11 +1,20 @@
-moon::cat /var/log/daemon.log::sending ldap request to::YES
-moon::cat /var/log/daemon.log::received valid ldap response::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
carol::ipsec status::alice.*INSTALLED::YES
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
carol::ipsec status::venus.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
+moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
dave::ipsec status::venus.*INSTALLED::YES
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
dave::ipsec status::alice.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
-
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1949d3abc
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..1949d3abc
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1949d3abc
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
index 1e52d2273..3ac0adbb5 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -1,6 +1,4 @@
-moon::ipsec listcacerts --utc::status revoked on::YES
moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::received end entity certificate is not trusted::YES
moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::alice.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index 9b331f0a9..ef1beae7e 100755
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,11 @@ config setup
strictcrlpolicy=yes
plutostart=no
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri=http://crl.strongswan.org/strongswan.crl
+ auto=add
+
conn %default
ikelifetime=60m
keylife=20m
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index 6cb0bd8ae..e4eafe966 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -1,12 +1,20 @@
+moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
carol::ipsec status::alice.*INSTALLED::YES
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
carol::ipsec status::venus.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
dave::ipsec status::venus.*INSTALLED::YES
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
dave::ipsec status::alice.*INSTALLED::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
index e1ee6e8d6..d0240a333 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="cfg 2"
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-double-snat/description.txt b/testing/tests/ikev2/nat-double-snat/description.txt
deleted file mode 100644
index e0708898b..000000000
--- a/testing/tests/ikev2/nat-double-snat/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>alice</b> sets up a connection to host <b>bob</b> using IKEv2. The hosts
-sit behind NAT router <b>moon</b> (SNAT) and <b>sun</b> (SNAT) respectively.
-UDP encapsulation is used to traverse the NAT router.
-The authentication is based on locally loaded <b>X.509 certificates</b>.
-In order to test the tunnel the NAT-ed host <b>alice</b> pings the host
-<b>bob</b>.
diff --git a/testing/tests/ikev2/nat-double-snat/evaltest.dat b/testing/tests/ikev2/nat-double-snat/evaltest.dat
deleted file mode 100644
index 7a3dede42..000000000
--- a/testing/tests/ikev2/nat-double-snat/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-bob::ipsec statusall::rw-alice.*ESTABLISHED::YES
-alice::ipsec statusall::home.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdumpcount::IP moon.strongswan.org.* > bob.strongswan.org.ipsec-nat-t: UDP::2
-moon::tcpdumpcount::IP bob.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::2
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index 30a067bc9..000000000
--- a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version 2.0 # conforms to second version of ipsec.conf specification
-
-config setup
- plutostart=no
-
-conn home
- left=PH_IP_ALICE
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- right=PH_IP_BOB
- rightcert=bobCert.pem
- rightid=bob@strongswan.org
- keyexchange=ikev2
- auto=add
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem
deleted file mode 100644
index 199d3eee2..000000000
--- a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY
-27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB
-fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg
-xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF
-ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E
-5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl
-+27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
-b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
-c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z
-TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq
-0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI
-5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN
-NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw
-7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE
-Mto=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf
deleted file mode 100644
index eaec3d642..000000000
--- a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version 2.0 # conforms to second version of ipsec.conf specification
-
-config setup
- plutostart=no
-
-conn %default
- left=PH_IP_BOB
- leftcert=bobCert.pem
- leftid=bob@strongswan.org
- leftsubnet=10.2.0.10/32
- keyexchange=ikev2
-
-conn rw-alice
- right=%any
- rightcert=aliceCert.pem
- rightid=alice@strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem
deleted file mode 100644
index e99ae8ec7..000000000
--- a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
-cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-double-snat/posttest.dat b/testing/tests/ikev2/nat-double-snat/posttest.dat
deleted file mode 100644
index 8ad7df96c..000000000
--- a/testing/tests/ikev2/nat-double-snat/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-alice::ipsec stop
-bob::ipsec stop
-alice::rm /etc/ipsec.d/certs/*
-bob::rm /etc/ipsec.d/certs/*
-moon::route del -net 10.2.0.0/16
-sun::route del -net 10.1.0.0/16
-moon::iptables -t nat -F
-sun::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-double-snat/pretest.dat b/testing/tests/ikev2/nat-double-snat/pretest.dat
deleted file mode 100644
index da1d43c4e..000000000
--- a/testing/tests/ikev2/nat-double-snat/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::route add -net 10.1.0.0/16 gw PH_IP_MOON
-sun::iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp -j SNAT --to-source PH_IP_SUN1:4024-4100
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::route add -net 10.2.0.0/16 gw PH_IP_SUN
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-bob::ipsec start
-alice::ipsec start
-alice::sleep 1
-alice::ipsec up home
-alice::sleep 1
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-pf/description.txt b/testing/tests/ikev2/nat-pf/description.txt
deleted file mode 100644
index bb38af458..000000000
--- a/testing/tests/ikev2/nat-pf/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to host <b>alice</b> sitting behind the NAT router <b>moon</b>
-using IKEv2. Port Forwarding is used to publish host <b>alice</b>. UDP encapsulation is used to traverse the NAT router.
-The authentication is based on locally loaded <b>X.509 certificates</b>.
-In order to test the tunnel the roadwarrior <b>carol</b> pings the host <b>alice</b>.
diff --git a/testing/tests/ikev2/nat-pf/evaltest.dat b/testing/tests/ikev2/nat-pf/evaltest.dat
deleted file mode 100644
index 4d2950521..000000000
--- a/testing/tests/ikev2/nat-pf/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-alice::ipsec statusall::rw-carol.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdumpcount::IP carol.strongswan.org.* > moon.strongswan.org.ipsec-nat-t: UDP::2
-moon::tcpdumpcount::IP moon.strongswan.org.ipsec-nat-t > carol.strongswan.org.*: UDP::2
diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index 836379494..000000000
--- a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version 2.0 # conforms to second version of ipsec.conf specification
-
-config setup
- plutostart=no
-
-conn %default
- left=PH_IP_ALICE
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftsubnet=10.1.0.10/32
- keyexchange=ikev2
-
-conn rw-carol
- right=%any
- rightcert=carolCert.pem
- rightid=carol@strongswan.org
- auto=add
diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 8492fbd45..000000000
--- a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
-T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
-vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
-S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
-LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
-YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
-j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
-U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
-2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
-HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
-hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
-C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
-omBYfxqp
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem
deleted file mode 100644
index e99ae8ec7..000000000
--- a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
-cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-pf/posttest.dat b/testing/tests/ikev2/nat-pf/posttest.dat
deleted file mode 100644
index bed4ae1b7..000000000
--- a/testing/tests/ikev2/nat-pf/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec stop
-alice::ipsec stop
-carol::rm /etc/ipsec.d/certs/*
-alice::rm /etc/ipsec.d/certs/*
-moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-pf/pretest.dat b/testing/tests/ikev2/nat-pf/pretest.dat
deleted file mode 100644
index fdb3de711..000000000
--- a/testing/tests/ikev2/nat-pf/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -m multiport -t nat -A PREROUTING -i eth0 -p udp --dports 500,4500 -j DNAT --to 10.1.0.10
-alice::ipsec start
-carol::ipsec start
-carol::sleep 1
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
index 6b849b811..c08a17943 100644
--- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
@@ -1,8 +1,12 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status from::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index 93d152f6b..768de938b 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -1,9 +1,9 @@
moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES
carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
-dave::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+dave::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::ESTABLISHED.*carol::YES
moon::ipsec status::ESTABLISHED.*dave::YES
carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index f185536a6..939817d58 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,5 +1,6 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES
-moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::ocsp response verification failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
index c6d6235f9..1af117cf0 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
@@ -1,2 +1,3 @@
moon::ipsec stop
carol::ipsec stop
+moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
index d92333d86..afb64c3ed 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
@@ -1,3 +1,4 @@
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
moon::ipsec start
carol::ipsec start
carol::sleep 2
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
index eacb70c40..2c3196103 100644
--- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
@@ -1,6 +1,7 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
-moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::certificate was revoked on::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
index a3a1df194..5bb322acc 100644
--- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
@@ -1,6 +1,10 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::requesting ocsp status::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt
index 492a9882b..7c7efb68e 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/description.txt
+++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt
@@ -4,7 +4,7 @@ is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer ce
issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
in an authority information access extension pointing to <b>winnetou</b>.
-Therefore no special ca section information is needed in ipsec.conf.
+Therefore no special ca section information is needed in moon's ipsec.conf.
<p>
<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
index 4a8ffd412..f8bf0326a 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
@@ -1,13 +1,12 @@
-moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
-carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
-moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::requesting ocsp status::YES
+moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
index f8abd6b59..4011a6c17 100755
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -5,6 +5,11 @@ config setup
strictcrlpolicy=yes
plutostart=no
+ca strongswan
+ cacert=strongswanCert.pem
+ ocspuri=http://ocsp.strongswan.org:8880
+ auto=add
+
conn %default
keyexchange=ikev2
ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 48f24aa8f..9f20ee81c 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,6 +1,7 @@
moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
-moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
-moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES
+moon::cat /var/log/daemon.log::libcurl http request failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES
moon::ipsec status::ESTABLISHED.*carol::YES
moon::ipsec status::ESTABLISHED.*dave::NO
carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
index 4c4059810..777c32699 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -1,9 +1,13 @@
-moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
-carol::cat /var/log/daemon.log::http post request using libcurl failed::YES
-moon::cat /var/log/daemon.log::received valid http response::YES
-carol::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::certificate is good::YES
-carol::cat /var/log/daemon.log::certificate is good::YES
+moon::cat /var/log/daemon.log::libcurl http request failed::YES
+moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
+moon::cat /var/log/daemon.log::ocsp response is valid::YES
+moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::libcurl http request failed::YES
+carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES
+carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
index d95a322bd..ff312cc6b 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -7,7 +7,8 @@ config setup
ca strongswan-ca
cacert=strongswanCert.pem
- ocspuri2=http://bob.strongswan.org:8800
+ ocspuri1=http://bob.strongswan.org:8800
+ ocspuri2=http://ocsp.strongswan.org:8880
auto=add
conn %default
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
index c9c09a72f..1b281507b 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -1,5 +1,6 @@
-moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
-moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::cat /var/log/daemon.log::libcurl http request failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index a0b6d681f..b47403756 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::cat /var/log/daemon.log::received valid http response::YES
-moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES
-moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::cat /var/log/daemon.log::requesting ocsp status from::YES
+moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
+moon::cat /var/log/daemon.log::ocsp response verification failed::YES
+moon::cat /var/log/daemon.log::certificate status is not available::YES
+moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
index c6d6235f9..1af117cf0 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
@@ -1,2 +1,3 @@
moon::ipsec stop
carol::ipsec stop
+moon::iptables -F
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
index d92333d86..afb64c3ed 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
@@ -1,3 +1,4 @@
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
moon::ipsec start
carol::ipsec start
carol::sleep 2
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index c2fe02639..2af93a313 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -19,5 +19,4 @@ conn home
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f699d5e27
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index dbf38160f..140e88912 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -20,5 +20,6 @@ conn rw-eapaka
leftcert=moonCert.pem
leftfirewall=yes
rightid=*@strongswan.org
+ rightsendcert=never
right=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f699d5e27
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
new file mode 100644
index 000000000..a2ac00d80
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with an <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
+is kept in <b>ipsec.secrets</b> on both gateway and client
+Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
+against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
new file mode 100644
index 000000000..5de841c03
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2af93a313
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ authby=eap
+
+conn home
+ left=PH_IP_CAROL
+ leftnexthop=%direct
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..e03e89a0f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..3a359eff2
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..78bc23b4c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eapaka
+ authby=rsasig
+ eap=md5
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftid=@moon.strongswan.org
+ leftcert=moonCert.pem
+ leftfirewall=yes
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..aa3838385
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3a359eff2
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/nat-double-snat/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
index 1ca2ffe5a..2bd21499b 100644
--- a/testing/tests/ikev2/nat-double-snat/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon winnetou sun bob"
+UMLHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-m-w-s-b.png"
+DIAGRAM="a-m-c.png"
# UML instances on which tcpdump is to be started
#
@@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="alice bob"
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index c2fe02639..2af93a313 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -19,5 +19,4 @@ conn home
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..8812814d6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
index 3f88b2ade..509deb945 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
@@ -21,4 +21,5 @@ conn rw-eapsim
leftfirewall=yes
rightid=*@strongswan.org
right=%any
+ rightsendcert=never
auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8812814d6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim
+}
diff --git a/testing/tests/ikev2/rw-hash-and-url/description.txt b/testing/tests/ikev2/rw-hash-and-url/description.txt
new file mode 100644
index 000000000..5e748d75e
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Instead of the certificates themselves, "Hash and URL" certificate payloads
+are transferred and the certificates are fetched via http from web server <b>winnetou</b>.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+</p>
diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
new file mode 100644
index 000000000..fe2a8d063
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
@@ -0,0 +1,14 @@
+moon::cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
+moon::cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+dave::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..77046eb7d
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ certuribase=http://winnetou.strongswan.org/certs/
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..af0f9953b
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ hash_and_url = yes
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..febaf9be2
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ certuribase=http://winnetou.strongswan.org/certs/
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..af0f9953b
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ hash_and_url = yes
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..cbc60000a
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+ca strongswan
+ cacert=strongswanCert.pem
+ certuribase=http://winnetou.strongswan.org/certs/
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..af0f9953b
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ hash_and_url = yes
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-hash-and-url/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c252ebde6
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index 1ce38fc6a..236684c57 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -3,7 +3,7 @@ moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-
moon::ipsec statusall::rw-psk.*INSTALLED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature::YES
+moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
moon::ipsec statusall::rw-rsasig.*INSTALLED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 8c7d2e9ea..0e5bd03db 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature::YES
+moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index dc6f82923..da59dfdae 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -15,6 +15,7 @@ conn %default
conn home
left=PH_IP_CAROL
+ leftsourceip=%config
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index b09427d4c..f09d46c5b 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -15,6 +15,7 @@ conn %default
conn home
left=PH_IP_DAVE
+ leftsourceip=%config
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index a3bf042d4..fb4b9ed3a 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -17,5 +17,6 @@ conn rw
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
+ rightsourceip=10.3.0.0/28
rightsendcert=never
auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index 3421c6e0f..0598e1fb2 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,6 +1,7 @@
-moon::cat /var/log/daemon.log::candidate peer certificate was not successfully verified::YES
-moon::cat /var/log/daemon.log::candidate peer certificate has a non-matching RSA public key::YES
-moon::cat /var/log/daemon.log::candidate peer certificate has a matching RSA public key::YES
+moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES
+moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES
moon::ipsec statusall::carol.*ESTABLISHED::YES
moon::ipsec statusall::dave.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index eb6feb6e2..8800c7ad5 100755
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="cfg 2"
crlcheckinterval=180
strictcrlpolicy=yes
plutostart=no
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ca22de61f
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+}