summaryrefslogtreecommitdiff
path: root/testing/tests
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests')
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/description.txt4
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat10
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat (renamed from testing/tests/ikev1/alg-serpent/posttest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat (renamed from testing/tests/ikev1/alg-serpent/pretest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/test.conf (renamed from testing/tests/ikev1/alg-serpent/test.conf)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/description.txt4
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat10
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat (renamed from testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat (renamed from testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/test.conf (renamed from testing/tests/ikev1/alg-sha-equals-sha1/test.conf)0
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/description.txt12
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat10
-rwxr-xr-xtesting/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf)12
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf14
-rwxr-xr-xtesting/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf)11
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf14
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/posttest.dat (renamed from testing/tests/openssl/ecdsa-certs/posttest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/pretest.dat (renamed from testing/tests/openssl/ecdsa-certs/pretest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/test.conf (renamed from testing/tests/openssl/ecdsa-certs/test.conf)0
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/description.txt4
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat9
-rwxr-xr-xtesting/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf)19
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat4
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat7
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/test.conf (renamed from testing/tests/ikev2/crl-strict/test.conf)0
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/description.txt12
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat (renamed from testing/tests/openssl/rw-cert/evaltest.dat)0
-rwxr-xr-xtesting/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf (renamed from testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf (renamed from testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf12
-rwxr-xr-xtesting/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf (renamed from testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf)0
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/posttest.dat (renamed from testing/tests/openssl/ike-alg-ecp-high/posttest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/pretest.dat (renamed from testing/tests/openssl/ike-alg-ecp-high/pretest.dat)0
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/test.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/test.conf)0
-rw-r--r--testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf14
-rw-r--r--testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf8
-rw-r--r--testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf3
-rwxr-xr-xtesting/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf3
-rw-r--r--testing/tests/ikev1/alg-blowfish/description.txt4
-rw-r--r--testing/tests/ikev1/alg-blowfish/evaltest.dat8
-rw-r--r--testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/alg-serpent/description.txt4
-rw-r--r--testing/tests/ikev1/alg-serpent/evaltest.dat10
-rw-r--r--testing/tests/ikev1/alg-sha-equals-sha1/description.txt5
-rw-r--r--testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat9
-rw-r--r--testing/tests/ikev1/alg-sha2_256/description.txt4
-rw-r--r--testing/tests/ikev1/alg-sha2_256/evaltest.dat8
-rw-r--r--testing/tests/ikev1/alg-twofish/description.txt4
-rw-r--r--testing/tests/ikev1/alg-twofish/evaltest.dat10
-rw-r--r--testing/tests/ikev1/alg-twofish/posttest.dat2
-rw-r--r--testing/tests/ikev1/alg-twofish/pretest.dat5
-rw-r--r--testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf10
-rw-r--r--testing/tests/ikev1/crl-ldap/evaltest.dat4
-rw-r--r--testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/ikev1/dpd-restart/evaltest.dat2
-rw-r--r--testing/tests/ikev1/esp-ah-transport/description.txt2
-rw-r--r--testing/tests/ikev1/esp-ah-transport/evaltest.dat4
-rw-r--r--testing/tests/ikev1/esp-ah-tunnel/description.txt2
-rw-r--r--testing/tests/ikev1/esp-ah-tunnel/evaltest.dat4
-rw-r--r--testing/tests/ikev1/esp-alg-aesxcbc/description.txt2
-rw-r--r--testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat4
-rw-r--r--testing/tests/ikev1/esp-alg-camellia/description.txt2
-rw-r--r--testing/tests/ikev1/esp-alg-camellia/evaltest.dat4
-rw-r--r--testing/tests/ikev1/esp-alg-des/evaltest.dat6
-rw-r--r--testing/tests/ikev1/esp-alg-null/evaltest.dat6
-rwxr-xr-xtesting/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf2
-rwxr-xr-xtesting/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev1/esp-alg-strict-fail/description.txt6
-rw-r--r--testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat6
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf2
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev1/esp-alg-strict/description.txt8
-rw-r--r--testing/tests/ikev1/esp-alg-strict/evaltest.dat10
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf4
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev1/esp-alg-weak/description.txt2
-rw-r--r--testing/tests/ikev1/ike-alg-sha2_384/description.txt4
-rw-r--r--testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat8
-rw-r--r--testing/tests/ikev1/ike-alg-sha2_512/description.txt4
-rw-r--r--testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat8
-rw-r--r--testing/tests/ikev1/ike-alg-strict-fail/description.txt6
-rw-r--r--testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat2
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf2
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev1/ike-alg-strict/description.txt8
-rw-r--r--testing/tests/ikev1/ike-alg-strict/evaltest.dat10
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf4
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf2
-rw-r--r--testing/tests/ikev1/mode-config/evaltest.dat2
-rw-r--r--testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat2
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/no-priv-key/evaltest.dat4
-rw-r--r--testing/tests/ikev1/protoport-route/evaltest.dat4
-rw-r--r--testing/tests/ikev1/protoport-route/pretest.dat4
-rw-r--r--testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf14
-rw-r--r--testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf14
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat2
-rw-r--r--testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat4
-rw-r--r--testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/description.txt2
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/evaltest.dat8
-rw-r--r--testing/tests/ikev2/alg-blowfish/description.txt6
-rw-r--r--testing/tests/ikev2/alg-blowfish/evaltest.dat16
-rwxr-xr-xtesting/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/alg-blowfish/posttest.dat (renamed from testing/tests/openssl/ike-alg-ecp-low/posttest.dat)0
-rw-r--r--testing/tests/ikev2/alg-blowfish/pretest.dat (renamed from testing/tests/openssl/ike-alg-ecp-low/pretest.dat)0
-rw-r--r--testing/tests/ikev2/alg-blowfish/test.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/test.conf)0
-rw-r--r--testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/crl-revoked/evaltest.dat1
-rw-r--r--testing/tests/ikev2/crl-strict/description.txt2
-rw-r--r--testing/tests/ikev2/crl-strict/evaltest.dat4
-rw-r--r--testing/tests/ikev2/crl-strict/posttest.dat2
-rw-r--r--testing/tests/ikev2/crl-strict/pretest.dat4
-rw-r--r--testing/tests/ikev2/crl-to-cache/evaltest.dat4
-rw-r--r--testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf4
-rw-r--r--testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/description.txt4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/description.txt2
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat4
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/description.txt3
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/evaltest.dat7
-rwxr-xr-xtesting/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf (renamed from testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf (renamed from testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf)0
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/posttest.dat4
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/pretest.dat7
-rw-r--r--testing/tests/ikev2/esp-alg-camellia/test.conf (renamed from testing/tests/ikev1/alg-twofish/test.conf)1
-rw-r--r--testing/tests/ikev2/esp-alg-null/description.txt2
-rw-r--r--testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt17
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat21
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf4
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf5
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf5
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf123
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default62
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat7
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users0
-rwxr-xr-xtesting/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf (renamed from testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf)2
-rwxr-xr-xtesting/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf27
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf (renamed from testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf)2
-rwxr-xr-xtesting/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables84
-rwxr-xr-xtesting/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat7
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat15
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf (renamed from testing/tests/openssl/rw-cert/test.conf)0
-rw-r--r--testing/tests/ikev2/multi-level-ca-cr-init/description.txt12
-rwxr-xr-xtesting/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf4
-rw-r--r--testing/tests/ikev2/multi-level-ca-cr-resp/description.txt12
-rw-r--r--testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf4
-rw-r--r--testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat5
-rw-r--r--testing/tests/ikev2/multi-level-ca-loop/evaltest.dat2
-rw-r--r--testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat1
-rw-r--r--testing/tests/ikev2/multi-level-ca-strict/description.txt2
-rw-r--r--testing/tests/ikev2/multi-level-ca/evaltest.dat5
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat3
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat2
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat2
-rw-r--r--testing/tests/ikev2/reauth-late/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf8
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf4
-rwxr-xr-xtesting/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf8
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat1
-rwxr-xr-xtesting/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat10
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat2
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf4
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat9
-rwxr-xr-xtesting/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf4
-rwxr-xr-xtesting/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf9
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/description.txt2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf4
-rw-r--r--testing/tests/ikev2/two-certs/description.txt13
-rw-r--r--testing/tests/ikev2/two-certs/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf18
-rw-r--r--testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem25
-rw-r--r--testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem27
-rw-r--r--testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets5
-rwxr-xr-xtesting/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem25
-rw-r--r--testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.derbin827 -> 0 bytes
-rw-r--r--testing/tests/ikev2/two-certs/posttest.dat5
-rw-r--r--testing/tests/ikev2/two-certs/pretest.dat7
-rw-r--r--testing/tests/ikev2/two-certs/test.conf6
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/description.txt (renamed from testing/tests/openssl/ike-alg-ecp-high/description.txt)0
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat13
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat (renamed from testing/tests/openssl/rw-cert/posttest.dat)0
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat (renamed from testing/tests/openssl/rw-cert/pretest.dat)0
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/test.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/description.txt (renamed from testing/tests/openssl/ike-alg-ecp-low/description.txt)0
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat13
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/test.conf21
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/description.txt (renamed from testing/tests/openssl/ecdsa-certs/description.txt)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat15
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets (renamed from testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets (renamed from testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf32
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem18
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem19
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem5
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem6
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets5
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/test.conf21
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/description.txt (renamed from testing/tests/openssl/rw-cert/description.txt)0
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/evaltest.dat10
-rwxr-xr-xtesting/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf14
-rwxr-xr-xtesting/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/description.txt11
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat16
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf (renamed from testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf (renamed from testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf (renamed from testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/description.txt17
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat (renamed from testing/tests/openssl/ike-alg-ecp-high/evaltest.dat)8
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf (renamed from testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/description.txt17
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat (renamed from testing/tests/openssl/ike-alg-ecp-low/evaltest.dat)8
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf (renamed from testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf)0
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/description.txt11
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat (renamed from testing/tests/openssl/ecdsa-certs/evaltest.dat)8
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf (renamed from testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf)1
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem8
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf (renamed from testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf (renamed from testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf)2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem6
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf (renamed from testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf (renamed from testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf)1
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem (renamed from testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets (renamed from testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/description.txt12
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/evaltest.dat10
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf)10
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf12
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf (renamed from testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf)2
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf12
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/test.conf21
-rw-r--r--testing/tests/pfkey/alg-aes-xcbc/description.txt2
-rw-r--r--testing/tests/pfkey/alg-aes-xcbc/evaltest.dat8
-rw-r--r--testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf8
-rw-r--r--testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf8
-rw-r--r--testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql16
-rw-r--r--testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql14
412 files changed, 3042 insertions, 416 deletions
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
new file mode 100644
index 000000000..604fb45df
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
+<b>SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and
+<b>SERPENT_CBC_256 / HMAC_SHA2_256 </b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
new file mode 100644
index 000000000..2be8f675f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES
+carol::ip xfrm state::enc cbc(serpent)::YES
+moon::ip xfrm state::enc cbc(serpent)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index b050f022a..b050f022a 100755
--- a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index 75830f043..75830f043 100755
--- a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-serpent/posttest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/ikev1/alg-serpent/posttest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat
diff --git a/testing/tests/ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
index 6d2eeb5f9..6d2eeb5f9 100644
--- a/testing/tests/ikev1/alg-serpent/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
diff --git a/testing/tests/ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
new file mode 100644
index 000000000..b65ea7b8d
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
+<b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and
+<b>TWOFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
new file mode 100644
index 000000000..34c9d1c65
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES
+carol::ip xfrm state::enc cbc(twofish)::YES
+moon::ip xfrm state::enc cbc(twofish)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 71ed47519..71ed47519 100755
--- a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index ba739f887..ba739f887 100755
--- a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/description.txt b/testing/tests/gcrypt-ikev1/rw-cert/description.txt
new file mode 100644
index 000000000..f60f5b1ad
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b>
+plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
new file mode 100644
index 000000000..1a9b9159f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
index 40d31c0ac..80dae3719 100755
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,25 +1,25 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
+ crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
+ plutodebug=control
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha1-modp1536!
- esp=aes128-sha!
+ keyexchange=ikev1
+ ike=3des-sha1-modp1536!
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
+ leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
-
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0840260c3
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors gcrypt pubkey hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..73167caad
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes256-sha256-modp2048!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..fdfb0003f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ required = yes
+ on_add = yes
+ }
+}
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
index 1461f7933..f365b07da 100755
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,25 +1,24 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
+ crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
+ plutodebug=control
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha1-modp1536!
- esp=aes128-sha!
+ keyexchange=ikev1
+ ike=aes256-sha256-modp2048,3des-sha1-modp1536!
conn rw
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
+ leftfirewall=yes
right=%any
- rightid=carol@strongswan.org
auto=add
-
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0840260c3
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors gcrypt pubkey hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl/ecdsa-certs/posttest.dat b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/openssl/ecdsa-certs/posttest.dat
+++ b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
diff --git a/testing/tests/openssl/ecdsa-certs/pretest.dat b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
index 42e9d7c24..42e9d7c24 100644
--- a/testing/tests/openssl/ecdsa-certs/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
diff --git a/testing/tests/openssl/ecdsa-certs/test.conf b/testing/tests/gcrypt-ikev1/rw-cert/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/openssl/ecdsa-certs/test.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/test.conf
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt
new file mode 100644
index 000000000..b3515c333
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
+HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
+the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..aad3becc7
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..37f8a7ecf
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=camellia256-sha512-modp2048!
+ esp=camellia192-sha1!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..70c473005
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index 072c57c5b..f8d7e3fe9 100755
--- a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,23 +11,14 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=camellia256-sha512-modp2048!
+ esp=camellia192-sha1!
+
+conn rw
left=PH_IP_MOON
+ leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
leftsubnet=10.1.0.0/16
right=%any
auto=add
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..70c473005
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/crl-strict/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/ikev2/crl-strict/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/description.txt b/testing/tests/gcrypt-ikev2/rw-cert/description.txt
new file mode 100644
index 000000000..f60f5b1ad
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b>
+plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
index 06a0f8cda..06a0f8cda 100644
--- a/testing/tests/openssl/rw-cert/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index 4a8baa3ae..4a8baa3ae 100755
--- a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..edb7e40d1
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 42f03aab3..42f03aab3 100755
--- a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f4b6dfdb9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ required = yes
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 2e84f2e6a..2e84f2e6a 100755
--- a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..edb7e40d1
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
diff --git a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index 42e9d7c24..42e9d7c24 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
diff --git a/testing/tests/openssl/ike-alg-ecp-high/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/test.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..304ef99e0
--- /dev/null
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index ef63f7262..f1dcd52e9 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..7133aef00 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,15 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink
+}
+
+pluto {
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index ef63f7262..8dcb265b7 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ load = curl aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink
+}
+
+pluto {
+ load = curl aes des sha1 sha2 md5 gmp random pubkey hmac
}
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
index 392a4b51e..d55638907 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,8 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
+ plutodebug=control
+ crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
index e56090f48..94517ecbe 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,8 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
+ plutodebug=control
+ crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
index cff0a1915..7d8f245ab 100644
--- a/testing/tests/ikev1/alg-blowfish/description.txt
+++ b/testing/tests/ikev1/alg-blowfish/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and
-<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and
+<b>BLOWFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index a2ae3ff6b..fd46cdb9d 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -1,9 +1,9 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
-moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
-carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES
carol::ip xfrm state::enc cbc(blowfish)::YES
moon::ip xfrm state::enc cbc(blowfish)::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f5401f260
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f5401f260
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt
deleted file mode 100644
index f49c0a1c0..000000000
--- a/testing/tests/ikev1/alg-serpent/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and
-<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat
deleted file mode 100644
index ffca0e7a0..000000000
--- a/testing/tests/ikev1/alg-serpent/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
-moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
-carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(serpent)::YES
-moon::ip xfrm state::enc cbc(serpent)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt
deleted file mode 100644
index aeb2e1a88..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the syntactically
-incorrect cipher suites <b>ike=aes128-sha1-modp1536</b> for the
-IKE protocol and <b>esp=aes128-sha</b> for ESP packets. Since <b>sha</b> and
-<b>sha1</b> are treated as synonyms the proposal is neverless correctly parsed.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
deleted file mode 100644
index c3656c690..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt
index 900fcf017..e0af2e2f7 100644
--- a/testing/tests/ikev1/alg-sha2_256/description.txt
+++ b/testing/tests/ikev1/alg-sha2_256/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the rather strong cipher suite
-<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and
-<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_1536</b> for the IKE protocol and
+<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
index 42d0099eb..b8a83e0fb 100644
--- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
@@ -1,10 +1,10 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
carol::ip xfrm state::auth hmac(sha256)::YES
moon::ip xfrm state::auth hmac(sha256)::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt
deleted file mode 100644
index 0015561ee..000000000
--- a/testing/tests/ikev1/alg-twofish/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and
-<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat
deleted file mode 100644
index 69e9267c3..000000000
--- a/testing/tests/ikev1/alg-twofish/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
-moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
-carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(twofish)::YES
-moon::ip xfrm state::enc cbc(twofish)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-twofish/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/alg-twofish/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
index 5a360543c..343221385 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -1,3 +1,13 @@
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
openac {
load = sha1 sha2 md5 gmp random x509 pubkey
}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
index 2b98e086a..730614c66 100644
--- a/testing/tests/ikev1/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev1/crl-ldap/evaltest.dat
@@ -6,8 +6,8 @@ moon::cat /var/log/auth.log::X.509 certificate rejected::YES
carol::cat /var/log/auth.log::X.509 certificate rejected::YES
moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::Trying LDAP URL::YES
-carol::cat /var/log/auth.log::Trying LDAP URL::YES
+moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
+carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::cat /var/log/auth.log::written crl file::YES
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
index 016524dd9..c35a8019e 100644
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -6,5 +6,5 @@ moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
moon::cat /var/log/auth.log::DPD: Restarting connection::YES
-moon::sleep 5::no output expected::NO
+moon::sleep 10::no output expected::NO
moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt
index c7918fa38..f8ffce6e6 100644
--- a/testing/tests/ikev1/esp-ah-transport/description.txt
+++ b/testing/tests/ikev1/esp-ah-transport/description.txt
@@ -1,5 +1,5 @@
In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
marks all incoming AH packets with the ESP mark. The transport mode connection is
tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
index 7c498ad83..526e0d96e 100644
--- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat
+++ b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
+moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt
index 809f28c57..332f8177a 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/description.txt
+++ b/testing/tests/ikev1/esp-ah-tunnel/description.txt
@@ -1,5 +1,5 @@
In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
marks all incoming AH packets with the ESP mark. The tunnel mode connection is
tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind
diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
index 8f4a99641..5103a6318 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
+++ b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
+moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
index fef0ac2dd..0c39352d9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_256/AES_XCBC_MAC</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc</b>
in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
index f464bda65..872962de4 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
@@ -1,8 +1,8 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES
-moon::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
carol::ip xfrm state::auth xcbc(aes)::YES
moon::ip xfrm state::auth xcbc(aes)::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt
index ead39f580..b679d03ec 100644
--- a/testing/tests/ikev1/esp-alg-camellia/description.txt
+++ b/testing/tests/ikev1/esp-alg-camellia/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>CAMELLIA_192/HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256-modp2048</b>
+<b>CAMELLIA_CBC_192 / HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256</b>
in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
index b2871dabd..1b0f3a12b 100644
--- a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES
carol::ip xfrm state::enc cbc(camellia)::YES
moon::ip xfrm state::enc cbc(camellia)::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
index 8e06392f1..57d09a488 100644
--- a/testing/tests/ikev1/esp-alg-des/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat
@@ -1,6 +1,8 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
-carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
+moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
+carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
+moon::ip xfrm state::enc cbc(des)::YES
+carol::ip xfrm state::enc cbc(des)::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index de2f2a571..8c748a54c 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -1,5 +1,7 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
-carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
+moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
+carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
+moon::ip xfrm state::enc ecb(cipher_null)::YES
+carol::ip xfrm state::enc ecb(cipher_null)::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index b939e4fda..3c9fdbb71 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes-128-sha
+ ike=aes-sha1
esp=null-sha1!
conn home
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 9ca761cb5..62f17df49 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha!
+ ike=aes-sha1!
esp=null-sha1!
conn rw
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
index 03c655480..252080e80 100644
--- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt
+++ b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
@@ -1,5 +1,5 @@
-The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
+<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
index 6f2024ff9..83d99bea1 100644
--- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
@@ -1,9 +1,9 @@
carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
-carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
-moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index f61cfc6bb..21997940b 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=3des-sha
+ ike=3des-sha1
esp=3des-sha1
conn home
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 5bf53b8bc..14f58ccc3 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha
+ ike=aes128-sha1
esp=aes128-sha1!
conn rw
diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt
index b4fc08253..149a1e013 100644
--- a/testing/tests/ikev1/esp-alg-strict/description.txt
+++ b/testing/tests/ikev1/esp-alg-strict/description.txt
@@ -1,7 +1,7 @@
-Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with
-SHA-1 authentication) in the first place and <b>AES-128</b> encryption in
+Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with
+HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in
second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
-<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed
+<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed
by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
-<b>esp=aes-128-sha1!</b> by applying the strict flag '!'.
+<b>esp=aes128-sha1!</b> by applying the strict flag '!'.
diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
index d5dd12d4e..912a8d830 100644
--- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
-carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
+moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
+moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
+carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index 0ae6b0693..7e2de30cd 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=3des-sha,aes-128-sha
- esp=3des-sha1,aes-128-sha1
+ ike=3des-sha,aes128-sha1
+ esp=3des-sha1,aes128-sha1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index 5bf53b8bc..14f58ccc3 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha
+ ike=aes128-sha1
esp=aes128-sha1!
conn rw
diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt
index ffb6882f5..e49b6c620 100644
--- a/testing/tests/ikev1/esp-alg-weak/description.txt
+++ b/testing/tests/ikev1/esp-alg-weak/description.txt
@@ -1,4 +1,4 @@
-The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication
+The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication
as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
not use an explicit <b>esp</b> statement any strong encryption algorithm will be
accepted but any weak key length will be rejected by default and thus the ISAKMP SA
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
index a347a3fed..a0bda209c 100644
--- a/testing/tests/ikev1/ike-alg-sha2_384/description.txt
+++ b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>AES_CBC_192-SHA2_384-MODP4096</b> for the IKE protocol and
-<b>AES_192-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>AES_CBC_192 / HMAC_SHA2_384 / MODP4096</b> for the IKE protocol and
+<b>AES_CBC_192 /HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
index 31959f53a..a4cc39150 100644
--- a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
@@ -1,8 +1,8 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES
-moon::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES
-carol::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
index 1bec4b8c6..240b8f2b0 100644
--- a/testing/tests/ikev1/ike-alg-sha2_512/description.txt
+++ b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite
-<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and
-<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_8192</b> for the IKE protocol and
+<b>AES_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
index dbd35429c..10929457f 100644
--- a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
@@ -1,8 +1,8 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
-moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
-carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
index 03c655480..252080e80 100644
--- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt
+++ b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
@@ -1,5 +1,5 @@
-The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
+<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
index 931b8855a..0c6bc7f7e 100644
--- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
@@ -1,5 +1,5 @@
carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index cbe5469f0..63ad1c01d 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=3des-sha
+ ike=3des-sha1
esp=3des-sha1
conn home
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 42e5f8404..1ea5fe7a5 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha!
+ ike=aes128-sha1!
esp=aes128-sha1
conn rw
diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt
index 35d266e20..af93b95c3 100644
--- a/testing/tests/ikev1/ike-alg-strict/description.txt
+++ b/testing/tests/ikev1/ike-alg-strict/description.txt
@@ -1,5 +1,5 @@
-The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place
-and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA.
-The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!',
+The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place
+and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA.
+The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!',
but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
-defines itself <b>esp=aes-128-sha1</b> only.
+defines itself <b>esp=aes128-sha1</b> only.
diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
index 46140be8a..8acd0d039 100644
--- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
-moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
-carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
+moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES
+moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES
+carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index b8e2257c4..9272bdc7f 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=3des-sha,aes-128-sha
- esp=3des-sha1,aes-128-sha1
+ ike=3des-sha1,aes128-sha1
+ esp=3des-sha1,aes128-sha1
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 42e5f8404..1ea5fe7a5 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- ike=aes128-sha!
+ ike=aes128-sha1!
esp=aes128-sha1
conn rw
diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
index 9d60cf7b0..69f77946e 100644
--- a/testing/tests/ikev1/mode-config/evaltest.dat
+++ b/testing/tests/ikev1/mode-config/evaltest.dat
@@ -1,4 +1,6 @@
carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
+carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3e950c81d
--- /dev/null
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+ dns1 = PH_IP_WINNETOU
+ dns2 = PH_IP6_VENUS
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
index f504706e2..9cfa502aa 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
@@ -2,7 +2,7 @@ moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::Trying LDAP URL::YES
+moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat
index 9bd85ba12..c2612167a 100644
--- a/testing/tests/ikev1/no-priv-key/evaltest.dat
+++ b/testing/tests/ikev1/no-priv-key/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES
+carol::cat /var/log/auth.log::unable to locate my private key::YES
+carol::cat /var/log/auth.log::empty ISAKMP SA proposal to send::YES
moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat
index 759295675..b266d86d8 100644
--- a/testing/tests/ikev1/protoport-route/evaltest.dat
+++ b/testing/tests/ikev1/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
carol::ssh PH_IP_ALICE hostname::alice::YES
carol::cat /var/log/auth.log::initiate on demand::YES
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat
index f233ad48f..b1fc81827 100644
--- a/testing/tests/ikev1/protoport-route/pretest.dat
+++ b/testing/tests/ikev1/protoport-route/pretest.dat
@@ -2,5 +2,7 @@ moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
+carol::sleep 1
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname
+carol::ping -c 1 PH_IP_ALICE > /dev/null
carol::sleep 2
-carol::ssh PH_IP_ALICE hostname
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..304ef99e0
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..304ef99e0
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
index 9e1354121..5ab6632cc 100644
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
@@ -2,6 +2,6 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
moon::cat /var/log/auth.log::peer requests PSK authentication::YES
moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES
+moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
index 188b7bbb5..849ae5d66 100644
--- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
+++ b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
@@ -1,5 +1,5 @@
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES
+moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
+moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES
moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt
index 24a4afe57..cce0e1cd6 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/description.txt
+++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 853746cd4..5217c18df 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -1,9 +1,9 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES
moon::ip xfrm state::auth xcbc(aes)::YES
carol::ip xfrm state::auth xcbc(aes)::YES
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/alg-blowfish/description.txt b/testing/tests/ikev2/alg-blowfish/description.txt
new file mode 100644
index 000000000..24b50b909
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
new file mode 100644
index 000000000..a1f9f6a8e
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES
+carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES
+dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES
+dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a78724926
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="cfg 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=blowfish256-sha512-modp2048!
+ esp=blowfish192-sha256!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e9829d508
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+ load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..26f3f3a04
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=blowfish128-sha256-modp1536!
+ esp=blowfish128-sha1!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..e9829d508
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+ load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..5183e26d2
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="cfg 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+ esp=blowfish192-sha256,blowfish128-sha1!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e9829d508
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+ load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat
+++ b/testing/tests/ikev2/alg-blowfish/posttest.dat
diff --git a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..42e9d7c24 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
diff --git a/testing/tests/openssl/ike-alg-ecp-low/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/test.conf
+++ b/testing/tests/ikev2/alg-blowfish/test.conf
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index 40eb84b8a..ae5e4f72b 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf
}
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index 40eb84b8a..ae5e4f72b 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf
}
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index 9068f9dcf..a6036a5da 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown attr
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
}
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
index 2242746db..62ed8676a 100644
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,5 +1,4 @@
moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/crl-strict/description.txt b/testing/tests/ikev2/crl-strict/description.txt
deleted file mode 100644
index b2b70906f..000000000
--- a/testing/tests/ikev2/crl-strict/description.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/crl-strict/evaltest.dat b/testing/tests/ikev2/crl-strict/evaltest.dat
deleted file mode 100644
index ac70750c5..000000000
--- a/testing/tests/ikev2/crl-strict/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-strict/posttest.dat b/testing/tests/ikev2/crl-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev2/crl-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev2/crl-strict/pretest.dat b/testing/tests/ikev2/crl-strict/pretest.dat
deleted file mode 100644
index 8984dcbcf..000000000
--- a/testing/tests/ikev2/crl-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1
-carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat
index 00489436e..afc8f67e4 100644
--- a/testing/tests/ikev2/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -1,4 +1,4 @@
moon::ipsec status::rw.*ESTABLISHED::YES
carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index 40eb84b8a..6cb8c1369 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -3,3 +3,7 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index 40eb84b8a..6cb8c1369 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -3,3 +3,7 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
}
+
+scepclient {
+ load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
index cb08a9312..9fe03b010 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12-128</b> by defining <b>esp=aes128gcm12-modp2048</b> or alternatively
-<b>esp=aes128gcm96-modp2048</b> in ipsec.conf.
+<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
+<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
index dc5032133..9a1c6b8e9 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
@@ -1,5 +1,5 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::AES_CCM_12-128::YES
-carol::ipsec statusall::AES_CCM_12-128::YES
+moon::ipsec statusall::AES_CCM_12_128::YES
+carol::ipsec statusall::AES_CCM_12_128::YES
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
index 721f3c64b..bd9521e0d 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16-256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
+<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
index 8f007b900..12a2dab3c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
@@ -1,5 +1,5 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::AES_GCM_16-256::YES
-carol::ipsec statusall::AES_GCM_16-256::YES
+moon::ipsec statusall::AES_GCM_16_256::YES
+carol::ipsec statusall::AES_GCM_16_256::YES
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-camellia/description.txt b/testing/tests/ikev2/esp-alg-camellia/description.txt
new file mode 100644
index 000000000..e79bc4f87
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
new file mode 100644
index 000000000..a8a78e25b
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..74562cd3c
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha1-modp2048!
+ esp=camellia192-sha1!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
index 40eb84b8a..40eb84b8a 100644
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a9ce15802
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha1-modp2048!
+ esp=camellia192-sha1!
+
+conn rw
+ left=PH_IP_MOON
+ leftfirewall=yes
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
index 40eb84b8a..40eb84b8a 100644
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/ikev2/esp-alg-camellia/posttest.dat b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-camellia/pretest.dat b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/alg-twofish/test.conf b/testing/tests/ikev2/esp-alg-camellia/test.conf
index a6c8f026c..2b240d895 100644
--- a/testing/tests/ikev1/alg-twofish/test.conf
+++ b/testing/tests/ikev2/esp-alg-camellia/test.conf
@@ -19,4 +19,3 @@ TCPDUMPHOSTS=""
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev2/esp-alg-null/description.txt b/testing/tests/ikev2/esp-alg-null/description.txt
index 3f1b35e6c..8fd203098 100644
--- a/testing/tests/ikev2/esp-alg-null/description.txt
+++ b/testing/tests/ikev2/esp-alg-null/description.txt
@@ -1,3 +1,3 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>NULL/HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt
new file mode 100644
index 000000000..3641d09ff
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using multiple authentication exchanges (RFC 4739). In a first round
+both <b>carol</b> and <b>moon</b> authenticate themselves by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<p>
+In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to
+authenticate herself against the remote RADIUS server <b>alice</b>.
+In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b>.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses a static triplets file.
+<p>
+The roadwarrior <b>dave</b> also uses multiple authentication and succeeds
+in the first round but sends wrong EAP-SIM triplets in the second round.
+As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b>
+message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
new file mode 100644
index 000000000..d64b3da7d
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -0,0 +1,21 @@
+moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
+moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
+moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
+moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
+moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+ secret = gv6URkSs
+ shortname = moon
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..a2020424e
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..d77b818fe
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,123 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# listen: Make the server listen on a particular IP address, and send
+listen {
+ type = auth
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ type = acct
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Core dumps are a bad thing. This should only be set to 'yes'
+allow_core_dumps = no
+
+# Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+# Logging section. The various "log_*" configuration items
+log {
+ destination = files
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# Security considerations
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/modules/
+ $INCLUDE eap.conf
+ $INCLUDE sql.conf
+ $INCLUDE sql/mysql/counter.conf
+ sim_files {
+ simtriplets = "/etc/raddb/triplets.dat"
+ }
+}
+
+# Instantiation
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..dfceb037d
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,62 @@
+authorize {
+ preprocess
+ chap
+ mschap
+ sim_files
+ suffix
+ eap {
+ ok = return
+ }
+ unix
+ files
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ unix
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
new file mode 100644
index 000000000..002ee94d1
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
@@ -0,0 +1,7 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..26cc0cd92
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftauth=pubkey
+ leftid=carol@strongswan.org
+ leftcert=carolCert.pem
+ leftauth2=eap
+ leftid2=228060123456001@strongswan.org
+ eap_identity=228060123456001
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..c167ba940
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index d46082bdd..cc451fc8d 100644
--- a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f8c52be78
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ authby=eap
+
+conn home
+ left=PH_IP_DAVE
+ leftfirewall=yes
+ leftauth=pubkey
+ leftid=dave@strongswan.org
+ leftcert=daveCert.pem
+ leftauth2=eap
+ leftid2=228060123456002@strongswan.org
+ eap_identity=228060123456002
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..b8b86c875
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+228060123456002,33000000000000000000000000000000,33112244,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112244,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..9031f323a
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index 40eb84b8a..cc451fc8d 100644
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MobIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow RADIUS protocol with alice
+ iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..37d23b1f5
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-mult
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ leftauth=pubkey
+ leftid=@moon.strongswan.org
+ leftcert=moonCert.pem
+ right=%any
+ rightauth=pubkey
+ rightid=*@strongswan.org
+ rightauth2=eap-radius
+ eap_identity=%any
+ auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..10414b29a
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+ plugins {
+ eap_radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
new file mode 100644
index 000000000..b3fd4cbf1
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/triplets.dat
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/openssl/rw-cert/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/openssl/rw-cert/test.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
index 0ace25731..602d026c2 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
@@ -1,8 +1,6 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
copies of the Research and Sales CA certificates and must therefore request them from
-the initiators <b>carol</b> and <b>dave</b>, respectively.
+the responders <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
index 12f0c95bf..4c84d183b 100755
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -25,12 +25,12 @@ conn alice
leftsubnet=PH_IP_ALICE/32
right=PH_IP_CAROL
rightid=carol@strongswan.org
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
conn venus
leftsubnet=PH_IP_VENUS/32
right=PH_IP_DAVE
rightid=dave@strongswan.org
- rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
index b26c8c5d0..06f9f6b91 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
@@ -1,8 +1,6 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
copies of the Research and Sales CA certificates and must therefore request them from
-the initiators <b>carol</b> and <b>dave</b>.
+the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
index d2453bbee..4b827b4dd 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
@@ -7,6 +7,6 @@ moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::alice.*INSTALLED::YES
dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec status::venus.*INSTALLED::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
index d0240a333..75138581e 100755
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -24,11 +24,11 @@ conn %default
conn alice
leftsubnet=PH_IP_ALICE/32
right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
conn venus
leftsubnet=PH_IP_VENUS/32
right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index 8656c8e3a..4a1c7208b 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
carol::ipsec status::venus.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
dave::ipsec status::venus.*INSTALLED::YES
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
dave::ipsec status::alice.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
index c60f722ec..0b7b02801 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
@@ -1,4 +1,4 @@
moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
carol::ipsec status::alice.*INSTALLED::NO
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
index 3ac0adbb5..182f9e0fc 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -1,5 +1,4 @@
moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
moon::ipsec status::alice.*ESTABLISHED::NO
carol::ipsec status::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt
index 86cbbc58b..6467d5222 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/description.txt
+++ b/testing/tests/ikev2/multi-level-ca-strict/description.txt
@@ -2,6 +2,6 @@ By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced
on all peers.
The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
<b>venus</b> to anyone presenting a certificate belonging to a trust
-chain anchored in strongSwan Root CA. Therefore both road warriors
+chain anchored in the strongSwan Root CA. Therefore both road warriors
<b>carol</b> and <b>dave</b>, holding certificates from the Research CA
and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index 8ba69ff9b..b0814556d 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
carol::ipsec status::venus.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
dave::ipsec status::venus.*INSTALLED::YES
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
dave::ipsec status::alice.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 20c58007c..454aed12c 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 20c58007c..454aed12c 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index 939817d58..a0a045ce8 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,6 +1,7 @@
moon::cat /var/log/daemon.log::requesting ocsp status from::YES
moon::cat /var/log/daemon.log::ocsp response verification failed::YES
moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 9f20ee81c..2e0f059c6 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
moon::cat /var/log/daemon.log::libcurl http request failed::YES
moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
moon::ipsec status::ESTABLISHED.*carol::YES
moon::ipsec status::ESTABLISHED.*dave::NO
carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index b47403756..45c6ce7c5 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES
moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
moon::cat /var/log/daemon.log::ocsp response verification failed::YES
moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index 7ce2bf147..7f083a05e 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -1,7 +1,7 @@
moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
-carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, scheduling reauthentication in 3595s::YES
carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
+carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 2[0-5]s::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 40eb84b8a..de122acff 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 40eb84b8a..de122acff 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 40eb84b8a..de122acff 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index d5cbbdbf7..661e6cfe7 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,6 +1,7 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
index 8cffbe3b3..22bba57a7 100755
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
@@ -9,15 +9,15 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftfirewall=yes
+ leftauth=eap
eap_identity=carol
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
index b239e7718..16171feb3 100755
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,15 @@ conn %default
keyexchange=ikev2
conn rw-eap
- authby=rsasig
- eap=aka
- eap_identity=%identity
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
+ right=%any
rightid=*@strongswan.org
rightsendcert=never
- right=%any
+ rightauth=eap-aka
+ eap_identity=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 5de841c03..e12643ef7 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,5 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
+ leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 140e88912..459414516 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
keyexchange=ikev2
conn rw-eapaka
- authby=rsasig
- eap=aka
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
+ right=%any
rightid=*@strongswan.org
rightsendcert=never
- right=%any
+ rightauth=eap-aka
auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 6c73054d7..2ee440cdb 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::using EAP identity .*carol"::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 8cffbe3b3..5f779d1af 100755
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -9,15 +9,16 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
+ leftauth=eap
leftfirewall=yes
eap_identity=carol
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
index 08b920afd..11ff84400 100755
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,15 @@ conn %default
keyexchange=ikev2
conn rw-eap
- authby=rsasig
- eap=radius
- eap_identity=%identity
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
rightid=*@strongswan.org
rightsendcert=never
+ rightauth=eap-radius
+ eap_identity=%any
right=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index 444362a86..5e8dce9cf 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,5 +1,5 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
+ leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
index 825994278..4a885babc 100755
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
keyexchange=ikev2
conn rw-eap
- authby=rsasig
- eap=radius
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
rightid=*@strongswan.org
+ rightauth=eap-radius
rightsendcert=never
right=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
+ leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
index 7777e914b..28d52b9eb 100755
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
keyexchange=ikev2
conn rw-eap
- authby=rsasig
- eap=md5
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
rightid=*@strongswan.org
+ rightauth=eap-md5
rightsendcert=never
right=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index d8708d122..5b632bfe8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,7 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
index ec09a3375..c1497ca0e 100755
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,14 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftfirewall=yes
+ leftauth=eap
eap_identity=carol
right=PH_IP_MOON
+ rightauth=pubkey
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
index 57a89966a..a4a45f06c 100755
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,14 @@ conn %default
keyexchange=ikev2
conn rw-eap
- authby=rsasig
- eap=mschapv2
- eap_identity=%identity
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
- rightid=%any
- rightsendcert=never
right=%any
+ rightauth=eap-mschapv2
+ rightsendcert=never
+ eap_identity=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
index 887d3f467..0531a559f 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
@@ -9,5 +9,5 @@ are used instead of a physical SIM card on the client <b>carol</b> and
the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
which also uses static triplets. In addition to her IKEv2 identity
<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
-identity <b>232420100000015</b>.
+identity <b>228060123456001</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index 4e7cbcc4c..4305a1400 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,6 +1,6 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::using EAP identity .*232420100000015::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
index 2a750029f..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
@@ -1,3 +1,3 @@
-232420100000015,30000000000000000000000000000000,30112233,305566778899AABB
-232420100000015,31000000000000000000000000000000,31112233,315566778899AABB
-232420100000015,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
index 404589348..d3a99fe41 100755
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
@@ -9,15 +9,16 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
leftfirewall=yes
- eap_identity=232420100000015
+ leftauth=eap
+ eap_identity=228060123456001
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
index 08b920afd..a86bb3d73 100755
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,15 @@ conn %default
keyexchange=ikev2
conn rw-eap
- authby=rsasig
- eap=radius
- eap_identity=%identity
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
rightid=*@strongswan.org
+ rightauth=eap-radius
+ eap_identity=%any
rightsendcert=never
right=%any
auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index cd4b43cca..5fae7ecd5 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,5 +1,5 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
@@ -8,7 +8,7 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave::ipsec statusall::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=eap
conn home
left=PH_IP_CAROL
leftnexthop=%direct
leftid=carol@strongswan.org
+ leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightauth=pubkey
auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
index 509deb945..53ecb4d70 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
keyexchange=ikev2
conn rw-eapsim
- authby=rsasig
- eap=sim
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
+ leftauth=pubkey
leftfirewall=yes
rightid=*@strongswan.org
+ rightauth=eap-sim
right=%any
rightsendcert=never
auto=add
diff --git a/testing/tests/ikev2/two-certs/description.txt b/testing/tests/ikev2/two-certs/description.txt
index 46ca8fec1..94ffaa487 100644
--- a/testing/tests/ikev2/two-certs/description.txt
+++ b/testing/tests/ikev2/two-certs/description.txt
@@ -1,6 +1,7 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Gateway <b>moon</b> has already loaded a revoked certificate for <b>carol</b>
-and a self-signed certificate for <b>dave</b> locally but gets actual certificates
-as CERT payloads from both peers. The RSA signature verification process tries all
-candidate peer certificates until it finds a valid one with a matching public key.
+The roadwarrior <b>carol</b> possesses two different X.509 certificates plus
+matching RSA private keys. With the first certificate <b>carol</b> authenticates
+a tunnel connection to gateway <b>moon</b> in order to reach client <b>alice</b>
+and presents the second certificate in order to reach client <b>venus</b> using
+the identity <b>carol@strongswan.org</b> for both IKE security associations.
+Therefore the RSA signature verification process on <b>moon</b> tries all
+candidate peer certificates until it finds the correct RSA public key.
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index 0598e1fb2..d32e32660 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,15 +1,12 @@
-moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES
-moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES
-moon::ipsec statusall::carol.*ESTABLISHED::YES
-moon::ipsec statusall::dave.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
+moon::ipsec statusall::alice.*INSTALLED::YES
+carol::ipsec statusall::alice.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
+moon::ipsec statusall::venus.*INSTALLED::YES
+carol::ipsec statusall::venus.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index bcdb8641b..9129f160b 100755
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
config setup
crlcheckinterval=180
- strictcrlpolicy=no
+ strictcrlpolicy=yes
plutostart=no
conn %default
@@ -10,14 +10,20 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
-
-conn home
+ keyexchange=ikev2
left=PH_IP_CAROL
- leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
+
+conn alice
+ leftcert=carolCert.pem
+ rightsubnet=10.1.0.10/32
+ auto=add
+
+conn venus
+ leftcert=carolCert-002.pem
+ rightsubnet=10.1.0.20/32
auto=add
+
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
new file mode 100644
index 000000000..4ebebba5a
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c
+6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH
+8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1
+XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n
+hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9
+0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/
+rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE
+FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl
+4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n
+U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB
+FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j
+cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD
+ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM
+Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma
+/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS
+KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu
+9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx
+fmSZH0LzbAm+7XFrP71rBSJUaUI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
new file mode 100644
index 000000000..aec8e7a33
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk
+g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS
+wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34
+mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f
+U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m
+yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ
+u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y
+EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP
+/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y
+UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0
+TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx
+u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv
+Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ
+lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC
+jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs
+tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq
+1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq
+WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr
+ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl
+Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC
+AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn
+aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN
+9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo
+/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F
+PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..2181f94ce
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+
+: RSA carolKey-002.pem
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index 8800c7ad5..a93ccbc9a 100755
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -3,8 +3,14 @@
config setup
crlcheckinterval=180
strictcrlpolicy=yes
+ uniqueids=no
plutostart=no
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri=http://crl.strongswan.org/strongswan.crl
+ auto=add
+
conn %default
ikelifetime=60m
keylife=20m
@@ -13,19 +19,16 @@ conn %default
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
+ rightid=carol@strongswan.org
keyexchange=ikev2
-conn carol
- rightid=carol@strongswan.org
- rightcert=carolRevokedCert.pem
+conn alice
+ leftsubnet=10.1.0.10/32
auto=add
-conn dave
- rightid=dave@strongswan.org
- rightcert=daveCert.der
- rightca=%any
+conn venus
+ leftsubnet=10.1.0.20/32
auto=add
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644
index 5b742fc9e..000000000
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
-mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
-5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
-VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
-IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
-K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
-OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
-56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
-2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
-O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
-LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
-wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
-9IcgYi5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der
deleted file mode 100644
index 6c4f37c27..000000000
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der
+++ /dev/null
Binary files differ
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
index 195065a5f..a1f067838 100644
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,7 +1,6 @@
moon::ipsec stop
carol::ipsec stop
-dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index 42e9d7c24..716cf71e8 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,9 +1,8 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
-dave::ipsec start
carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
+carol::ipsec up alice
+carol::ipsec up venus
+carol::sleep 1
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
index 70416826e..d0306cd25 100644
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou dave"
+UMLHOSTS="alice venus moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-v-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
@@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl/ike-alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index b8efbe87e..b8efbe87e 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
new file mode 100644
index 000000000..6a6802780
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES
+dave::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..432fa52ea
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..28304eb41
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c4211619b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d6737f6e0
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/openssl/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
diff --git a/testing/tests/openssl/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index 42e9d7c24..42e9d7c24 100644
--- a/testing/tests/openssl/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/ike-alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 4f043e7d9..4f043e7d9 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
new file mode 100644
index 000000000..3c5ae4138
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES
+dave::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5a4d82699
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..668998653
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ac828c182
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c4211619b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..870271c87
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..668998653
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
index 2c098d898..2c098d898 100644
--- a/testing/tests/openssl/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
new file mode 100644
index 000000000..2aea10135
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -0,0 +1,15 @@
+moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
+moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES
+carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
+dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES
+moon::ipsec statusall::carol.*IPsec SA established::YES
+moon::ipsec statusall::dave.*IPsec SA established::YES
+carol::ipsec statusall::home.*IPsec SA established::YES
+dave::ipsec statusall::home.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b0b6ff738
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ plutodebug=control
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
index 3480a434a..3480a434a 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..29709926a 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..5f21c1012 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
index 4e53ef91a..4e53ef91a 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..23813b20b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ plutodebug=control
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
index 3480a434a..3480a434a 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..075d8f1e5 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..f628f88e5 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
index ebd3a2839..ebd3a2839 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c4211619b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f22a4ac4c
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ plutodebug=control
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn carol
+ also=moon
+ leftcert=moon_ec256_Cert.pem
+ rightid=carol@strongswan.org
+ auto=add
+
+conn dave
+ also=moon
+ leftcert=moon_ec384_Cert.pem
+ rightid=dave@strongswan.org
+ auto=add
+
+conn moon
+ left=PH_IP_MOON
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
index 3480a434a..3480a434a 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
new file mode 100644
index 000000000..d5e61558e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAk+gAwIBAgIBBTAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDkwNjEyMTYwNjMzWhcNMTQwNjExMTYwNjMzWjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIU/UvJ7ro2AYsFWXZKH9K4FD9O5kNfi3/H3+10kAy6s
+eQUab8qaAhTahBHuywzanVTiJPK5caQSvnpt+z1RJDqjggETMIIBDzAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUq1PybZZ+RZuJICuoDUhXdLy/iacw
+eAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
+d2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCQYHKoZIzj0EAQOBiwAwgYcCQWYZnZLl
+iimVcAs5p7SXpHmcnlIX9C4EFzNtY+zoDfPM9Qx/vGY2hKa65tyhepn5RFyNqH6d
+slr5EBqoT5Vt86kJAkIAx/dyiLLqT0+lJiyxjLQuAaLRWHwlgq7jaUhoQusxno62
+dIfe0U1QjgumA+zXoAnbLBF3KnnrKvHByv7ejeH0Ys4=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
new file mode 100644
index 000000000..45224b09b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAmygAwIBAgIBBjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDkwNjEyMTYwNzA2WhcNMTQwNjExMTYwNzA2WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABK4TajAd1pgzhJJsmyjw1Zb/CdEe0eWKmEyP1OjmwRwS37Tx
+3wV9C9ZzCYBsJlvbH53kyeZYoAojUL5sXDVBq8qu23jSjBCesypSiNt/8akt+4bg
+a4qMN2zutd/U1fC5C6OCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBT43sZUBjwcO+QW4PXk7KoOxxkm3jB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GMADCBiAJCAUfrzEnQUA0dqpo9I2YaFh3Y+QnFosTg
+b46jcbxm/LbIeWDxwU2HK3Qfo+tGsXJnh73lKo8B0o+OsXt4gP+GQutCAkIBu7Aw
+0iUx8d84SqHiBZBDIk/X6NV62YZXVhO9rPON0r/kdmeZ8OvPD53JgE64irFf6Wp+
+3ictLD61ItW0nxNHlcE=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
new file mode 100644
index 000000000..66b6315f9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIE+rz/5axOOEvTVs9nnmKyF1v/rgmdIvam+BfSSS1SGpoAoGCCqGSM49
+AwEHoUQDQgAEhT9S8nuujYBiwVZdkof0rgUP07mQ1+Lf8ff7XSQDLqx5BRpvypoC
+FNqEEe7LDNqdVOIk8rlxpBK+em37PVEkOg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
new file mode 100644
index 000000000..64f7fcfd1
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDvvge4iZDHIaL0IDBs4gVesErZZWOud3NysAEayGW4iTb6wjQLtIVF
+1i7d8lV6Uc2gBwYFK4EEACKhZANiAASuE2owHdaYM4SSbJso8NWW/wnRHtHliphM
+j9To5sEcEt+08d8FfQvWcwmAbCZb2x+d5MnmWKAKI1C+bFw1QavKrtt40owQnrMq
+Uojbf/GpLfuG4GuKjDds7rXf1NXwuQs=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..8a8812e0f
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moon_ec256_Key.pem
+
+: ECDSA moon_ec384_Key.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
new file mode 100644
index 000000000..73fe3096d
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt
index 0f721c52b..0f721c52b 100644
--- a/testing/tests/openssl/rw-cert/description.txt
+++ b/testing/tests/openssl-ikev1/rw-cert/description.txt
diff --git a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
new file mode 100644
index 000000000..1a9b9159f
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..80dae3719
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=3des-sha1-modp1536!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e2a83185b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..73167caad
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes256-sha256-modp2048!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..2ba85bb98
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ required = yes
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f365b07da
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..28d9ab3ba
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ crypto_test {
+ on_add = yes
+ }
+}
+
diff --git a/testing/tests/openssl-ikev1/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/rw-cert/test.conf b/testing/tests/openssl-ikev1/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
new file mode 100644
index 000000000..d30d9d2da
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b>
+use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all
+cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
new file mode 100644
index 000000000..a1f9f6a8e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES
+carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES
+dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES
+dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..62e181012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=blowfish256-sha512-modp2048!
+ esp=blowfish192-sha256!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..26f3f3a04
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=blowfish128-sha256-modp1536!
+ esp=blowfish128-sha1!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..31a00f7fb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+ esp=blowfish192-sha256,blowfish128-sha1!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
new file mode 100644
index 000000000..b8efbe87e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for
+the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
+ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
+fall back to ECP_384 and ECP_521, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index c9055f89c..009936466 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,10 +1,10 @@
-carol::cat /var/log/daemon.log::ECP_256_BIT.*ECP_384_BIT::YES
-dave::cat /var/log/daemon.log::ECP_256_BIT.*ECP_521_BIT::YES
+carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
+dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC-192/AUTH_HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BIT::YES
+carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC-256/AUTH_HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521_BIT::YES
+dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
index 0550a09b4..0550a09b4 100755
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
index 22026fc36..22026fc36 100755
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 7ffdcc204..7ffdcc204 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
index ffe13d259..ffe13d259 100755
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
new file mode 100644
index 000000000..4f043e7d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for
+the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
+ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
+fall back to ECP_224 and ECP_256, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index dc417c21f..e2073d9be 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -1,10 +1,10 @@
-carol::cat /var/log/daemon.log::ECP_192_BIT.*ECP_224_BIT::YES
-dave::cat /var/log/daemon.log::ECP_192_BIT.*ECP_256_BIT::YES
+carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
+dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BIT::YES
+carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BIT::YES
+dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
index 6a15b3f54..6a15b3f54 100755
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
index b4bdf456f..b4bdf456f 100755
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 7ffdcc204..7ffdcc204 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
index 64ec0f12c..64ec0f12c 100755
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
new file mode 100644
index 000000000..2c098d898
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
@@ -0,0 +1,11 @@
+The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
+based on the <b>OpenSSL</b> library for all cryptographical functions.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
+using <b>Elliptic Curve certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index a7243ce70..868da5776 100644
--- a/testing/tests/openssl/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
moon::ipsec statusall::rw.*ESTABLISHED::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
index 4f6fdc567..c75d6b2a1 100755
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=ecdsasig
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5f21c1012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+
+Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
+KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
+RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
index ea8bc92a7..080ce9bce 100755
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev2
conn home
left=PH_IP_DAVE
@@ -19,5 +20,4 @@ conn home
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- keyexchange=ikev2
auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..075d8f1e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
+IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
+zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
+ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
+wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
+g+Z+grJzTppAqpwRpg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..f628f88e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
+t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
+JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index e10230384..e10230384 100644
--- a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
index 892e0c39b..c932101d2 100755
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=ecdsasig
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..5178c7f38 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..beab0485f 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
index 1ef3eccb5..1ef3eccb5 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt
new file mode 100644
index 000000000..0f721c52b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index fbb9cd7e9..4a8baa3ae 100755
--- a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
config setup
crlcheckinterval=180
- strictcrlpolicy=yes
+ strictcrlpolicy=no
plutostart=no
conn %default
@@ -11,12 +11,14 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=3des-sha1-modp1536!
+
+conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
-
-conn home
+ leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..195bcf046
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
+}
+
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 3138458ed..42f03aab3 100755
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- authby=ecdsasig
+ ike=aes256-sha256-modp2048!
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f4b6dfdb9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ required = yes
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e84f2e6a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..166e24e7c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/description.txt b/testing/tests/pfkey/alg-aes-xcbc/description.txt
index 24a4afe57..cce0e1cd6 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/description.txt
+++ b/testing/tests/pfkey/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 853746cd4..5217c18df 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -1,9 +1,9 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES
moon::ip xfrm state::auth xcbc(aes)::YES
carol::ip xfrm state::auth xcbc(aes)::YES
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index db6fa7486..2f3bc449a 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index db6fa7486..2f3bc449a 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index db6fa7486..2f3bc449a 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 29e2395e8..329498d28 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,11 @@ charon {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 29e2395e8..329498d28 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,11 @@ charon {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 29e2395e8..329498d28 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,11 @@ charon {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
- load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+ load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+libstrongswan {
+ crypto_test {
+ on_add = yes
+ }
}
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
index f160fe1d7..2ea4f598f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -24,18 +24,6 @@ INSERT INTO identities (
2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
);
-INSERT INTO identities (
- type, data
-) VALUES ( /* carol@strongswan.org as an EAP identity */
- 205, X'6361726f6c407374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* moon.strongswan.org as an EAP identity */
- 205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
- );
-
/* Certificates */
INSERT INTO certificates (
@@ -67,13 +55,13 @@ INSERT INTO shared_secrets (
INSERT INTO shared_secret_identity (
shared_secret, identity
) VALUES (
- 1, 5
+ 1, 3
);
INSERT INTO shared_secret_identity (
shared_secret, identity
) VALUES (
- 1, 6
+ 1, 4
);
/* Configurations */
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
index 153c454a9..5d262877f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -32,14 +32,8 @@ INSERT INTO identities (
INSERT INTO identities (
type, data
-) VALUES ( /* moon.strongswan.org as an EAP identity */
- 205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* carol@strongswan.org as an EAP identity */
- 205, X'6361726f6c407374726f6e677377616e2e6f7267'
+) VALUES ( /* carol@strongswan.org */
+ 3, X'6361726f6c407374726f6e677377616e2e6f7267'
);
/* Certificates */
@@ -111,13 +105,13 @@ INSERT INTO shared_secrets (
INSERT INTO shared_secret_identity (
shared_secret, identity
) VALUES (
- 1, 6
+ 1, 3
);
INSERT INTO shared_secret_identity (
shared_secret, identity
) VALUES (
- 1, 7
+ 1, 6
);
/* Configurations */