167 files changed, 623 insertions, 15 deletions

diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt
new file mode 100644
index 000000000..8c0d37c88
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/description.txt
@@ -0,0 +1,5 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
+<b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat
new file mode 100644
index 000000000..8c2f8ec9d
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::sending end entity cert::YES
+moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
+sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e3c9dde4
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.der
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..7f78d5820
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bfc83ab4d
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
+
+libstrongswan {
+  x509 {
+    enforce_critical = no
+  }
+}
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..19e197131
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.der
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
new file mode 100644
index 000000000..c1efb6719
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf
new file mode 100644
index 000000000..41ee3037e
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index 88f162098..47dab951f 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index 88f162098..8335e51f6 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt
index 350aefc60..350aefc60 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat
index 517ea9ab2..517ea9ab2 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf
index f4e179aa4..f4e179aa4 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary
index 1a27a02fc..1a27a02fc 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
index f295467a9..f295467a9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
index 1143a0473..1143a0473 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default
index 802fcfd8d..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
index 2d4961288..2d4961288 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
index a9509a716..a9509a716 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf
index 9cf2b43c4..9cf2b43c4 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf
index c12143cb1..c12143cb1 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf
index 998e6c2e5..998e6c2e5 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf
index c12143cb1..c12143cb1 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
index 621e94f0e..621e94f0e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables
index 56587b2e8..56587b2e8 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf
index fc8f84638..fc8f84638 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf
index 4d2d3058d..4d2d3058d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat
index 132752119..132752119 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat
index dc7d5934e..dc7d5934e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf
index bb6b68687..bb6b68687 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
index 7eebd3d4d..7eebd3d4d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat
index d0ea22ba9..d0ea22ba9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf
index f4e179aa4..f4e179aa4 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary
index 1a27a02fc..1a27a02fc 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc
index f295467a9..f295467a9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf
index 1143a0473..1143a0473 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default
index 802fcfd8d..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
index f91bccc72..f91bccc72 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
index a9509a716..a9509a716 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
index 9cf2b43c4..9cf2b43c4 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
index c12143cb1..c12143cb1 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
index 998e6c2e5..998e6c2e5 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
index c12143cb1..c12143cb1 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
index c20b5e57f..c20b5e57f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables
index 56587b2e8..56587b2e8 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf
index 33dcdcfb0..33dcdcfb0 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf
index f4e456bbe..f4e456bbe 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat
index 132752119..132752119 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
index 8dd865819..8dd865819 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf
index 2a52df203..2a52df203 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc-11/description.txt
index 4b4808c94..4b4808c94 100644
--- a/testing/tests/ikev2/rw-eap-tnc/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-11/description.txt
diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
index a02755148..a02755148 100644
--- a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf
index c19192dae..c19192dae 100755
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
index c12143cb1..c12143cb1 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf
index 7d5ea8b83..7d5ea8b83 100755
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
index c12143cb1..c12143cb1 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file
index c20b5e57f..c20b5e57f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf
index 50514c99f..50514c99f 100755
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf
index f8700d3c5..f8700d3c5 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
index ac436a344..ac436a344 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
index ce897d181..ce897d181 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-11/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/test.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-11/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt
index 51423177a..c7422aa46 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt
@@ -2,7 +2,10 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gatewa
 using EAP-TTLS authentication only with the gateway presenting a server certificate and
 the clients doing EAP-MD5 password-based authentication.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
 <b>carol</b> is authenticated successfully and is granted access to the subnet behind
-<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected. 
+<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
index 2304df23e..f1753c208 100644
--- a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
 moon::cat /var/log/daemon.log::added group membership 'allow'::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf
index c19192dae..c19192dae 100755
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1a39b8c57
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de, en
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf
index 7d5ea8b83..7d5ea8b83 100755
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..eb7007726
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = ru, fr, en
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
index 621e94f0e..621e94f0e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf
index 6747b4a4a..6747b4a4a 100755
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..20caf8e84
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imv {
+      recommendation_policy = all
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config
index ac436a344..ac436a344 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat
index ce897d181..ce897d181 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt
index 762b839ee..54590a951 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt
@@ -1,7 +1,10 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
-bothe ends doing certificate-based EAP-TLS authentication only.
+both ends doing certificate-based EAP-TLS authentication only.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
 clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
 respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
index cebfff25f..bbc0603b6 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
 dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf
index 1b6274215..1b6274215 100755
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf
index c12143cb1..b2aa2806a 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
   multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf
index 54c06b12e..54c06b12e 100755
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf
index c12143cb1..b2aa2806a 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
   multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
index c20b5e57f..c20b5e57f 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
index a5a9a68f3..a5a9a68f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf
index 50514c99f..50514c99f 100755
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf
index 8898a63ba..04a243cad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -9,5 +9,8 @@ charon {
       phase2_piggyback = yes
       phase2_tnc = yes
     }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
   }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
index ac436a344..ac436a344 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat
index ce897d181..ce897d181 100644
--- a/testing/tests/ikev2/rw-eap-tnc/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc/test.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/ikev2/rw-eap-tnc-20/description.txt
new file mode 100644
index 000000000..6a9c5dde8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
new file mode 100644
index 000000000..737c9b9ef
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
index c12143cb1..b2aa2806a 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
   multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
index f8700d3c5..b76c1cd55 100644
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -9,5 +9,8 @@ charon {
       phase2_piggyback = yes
       phase2_tnc = yes
     }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
   }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..67896d543
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy"		/usr/local/lib/libdummyimv.so
+IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/test.conf b/testing/tests/ikev2/rw-eap-tnc-20/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt
new file mode 100644
index 000000000..21e9bc675
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of TNC client <b>carol</b> via the <b>TNCCS 1.1 </b> client-server interface and of
+TNC client <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface. TNC server
+<b>moon</b> dynamically detects which version of the IF-TNCCS protocol is used.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
new file mode 100644
index 000000000..2c7a2dbd7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
@@ -0,0 +1,27 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
+moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
+moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
+moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
+moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
+moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
index c12143cb1..6a12318db 100644
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
@@ -3,4 +3,9 @@
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..33945dc1e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a1a4a4747
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-dynamic
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..67896d543
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy"		/usr/local/lib/libdummyimv.so
+IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index 9129f160b..08b95659f 100755
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -2,6 +2,7 @@
 
 config setup
         crlcheckinterval=180
+	uniqueids=no
 	strictcrlpolicy=yes
 	plutostart=no