summaryrefslogtreecommitdiff
path: root/testing
diff options
context:
space:
mode:
Diffstat (limited to 'testing')
-rw-r--r--testing/Makefile.in6
-rw-r--r--testing/config/kernel/config-3.152083
-rwxr-xr-xtesting/do-tests96
-rw-r--r--testing/hosts/alice/etc/swanctl/rsa/aliceKey.pem27
-rw-r--r--testing/hosts/alice/etc/swanctl/x509/aliceCert.pem25
-rw-r--r--testing/hosts/alice/etc/swanctl/x509ca/strongswanCert.pem22
-rw-r--r--testing/hosts/bob/etc/swanctl/rsa/bobKey.pem27
-rw-r--r--testing/hosts/bob/etc/swanctl/x509/bobCert.pem25
-rw-r--r--testing/hosts/bob/etc/swanctl/x509ca/strongswanCert.pem22
-rw-r--r--testing/hosts/carol/etc/swanctl/rsa/carolKey.pem27
-rw-r--r--testing/hosts/carol/etc/swanctl/x509/carolCert.pem25
-rw-r--r--testing/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem22
-rw-r--r--testing/hosts/dave/etc/swanctl/rsa/daveKey.pem27
-rw-r--r--testing/hosts/dave/etc/swanctl/x509/daveCert.pem25
-rw-r--r--testing/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem22
-rw-r--r--testing/hosts/default/etc/hosts2
-rwxr-xr-xtesting/hosts/default/etc/init.d/charon156
-rwxr-xr-xtesting/hosts/moon/etc/swanctl/rsa/moonKey.pem27
-rwxr-xr-xtesting/hosts/moon/etc/swanctl/x509/moonCert.pem25
-rwxr-xr-xtesting/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem22
-rwxr-xr-xtesting/hosts/sun/etc/swanctl/rsa/sunKey.pem27
-rwxr-xr-xtesting/hosts/sun/etc/swanctl/x509/sunCert.pem25
-rwxr-xr-xtesting/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem22
-rw-r--r--testing/hosts/venus/etc/swanctl/rsa/venusKey.pem27
-rw-r--r--testing/hosts/venus/etc/swanctl/x509/venusCert.pem24
-rw-r--r--testing/hosts/venus/etc/swanctl/x509ca/strongswanCert.pem22
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt5
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt.old6
-rw-r--r--testing/hosts/winnetou/etc/openssl/newcerts/29.pem25
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial.old2
-rwxr-xr-xtesting/scripts/build-baseimage4
-rwxr-xr-xtesting/scripts/build-guestimages9
-rw-r--r--testing/scripts/recipes/014_swid_generator.mk16
-rw-r--r--testing/scripts/recipes/015_strongTNC.mk22
-rw-r--r--testing/testing.conf12
-rw-r--r--testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem19
-rw-r--r--testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem18
-rw-r--r--testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem18
-rw-r--r--testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem18
-rw-r--r--testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem27
-rw-r--r--testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem18
-rw-r--r--testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem18
-rw-r--r--testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem19
-rw-r--r--testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem27
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem18
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem18
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem18
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem19
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem19
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem27
-rw-r--r--testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem27
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/description.txt7
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat12
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf (renamed from testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf)33
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf (renamed from testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf)5
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf (renamed from testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf)12
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf (renamed from testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf)4
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf (renamed from testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf)33
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat5
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat11
-rw-r--r--testing/tests/ikev2/shunt-policies-nat-rw/test.conf21
-rw-r--r--testing/tests/ikev2/shunt-policies/description.txt11
-rw-r--r--testing/tests/ikev2/shunt-policies/evaltest.dat16
-rw-r--r--testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/ikev2/shunt-policies/posttest.dat5
-rw-r--r--testing/tests/ikev2/shunt-policies/pretest.dat6
-rw-r--r--testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem34
-rw-r--r--testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem50
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc19
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc19
-rw-r--r--testing/tests/pfkey/compress/description.txt4
-rw-r--r--testing/tests/pfkey/compress/evaltest.dat12
-rw-r--r--testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf (renamed from testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf)1
-rw-r--r--testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf (renamed from testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf)2
-rw-r--r--testing/tests/pfkey/compress/posttest.dat4
-rw-r--r--testing/tests/pfkey/compress/pretest.dat6
-rw-r--r--testing/tests/pfkey/compress/test.conf22
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/description.txt7
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat12
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf27
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf7
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf (renamed from testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf)12
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf27
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf7
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat5
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat11
-rw-r--r--testing/tests/pfkey/shunt-policies-nat-rw/test.conf21
-rw-r--r--testing/tests/pfkey/shunt-policies/description.txt11
-rw-r--r--testing/tests/pfkey/shunt-policies/evaltest.dat20
-rw-r--r--testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/pfkey/shunt-policies/posttest.dat5
-rw-r--r--testing/tests/pfkey/shunt-policies/pretest.dat6
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/description.txt7
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/evaltest.dat12
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf (renamed from testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf)2
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql199
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets (renamed from testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets)0
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf (renamed from testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf)4
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf (renamed from testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf)2
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql (renamed from testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql)85
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets (renamed from testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets)0
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf13
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql199
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf (renamed from testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf)5
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/posttest.dat8
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/pretest.dat20
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/test.conf21
-rw-r--r--testing/tests/sql/shunt-policies/description.txt11
-rw-r--r--testing/tests/sql/shunt-policies/evaltest.dat20
-rw-r--r--testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql227
-rw-r--r--testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/sql/shunt-policies/posttest.dat6
-rw-r--r--testing/tests/sql/shunt-policies/pretest.dat12
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/description.txt10
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/evaltest.dat23
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf33
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf33
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf21
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf31
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/posttest.dat11
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/pretest.dat21
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/test.conf21
-rwxr-xr-xtesting/tests/swanctl/ip-pool/description.txt10
-rwxr-xr-xtesting/tests/swanctl/ip-pool/evaltest.dat15
-rwxr-xr-xtesting/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf33
-rwxr-xr-xtesting/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf33
-rwxr-xr-xtesting/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf37
-rwxr-xr-xtesting/tests/swanctl/ip-pool/posttest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-pool/pretest.dat15
-rwxr-xr-xtesting/tests/swanctl/ip-pool/test.conf21
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/description.txt6
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/evaltest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf34
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf34
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-cert/pretest.dat9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/net2net-cert/test.conf (renamed from testing/tests/sql/shunt-policies/test.conf)0
-rwxr-xr-xtesting/tests/swanctl/net2net-route/description.txt9
-rwxr-xr-xtesting/tests/swanctl/net2net-route/evaltest.dat7
-rwxr-xr-xtesting/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf34
-rwxr-xr-xtesting/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf34
-rwxr-xr-xtesting/tests/swanctl/net2net-route/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-route/pretest.dat9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/net2net-route/test.conf (renamed from testing/tests/ikev2/shunt-policies/test.conf)2
-rwxr-xr-xtesting/tests/swanctl/net2net-start/description.txt6
-rwxr-xr-xtesting/tests/swanctl/net2net-start/evaltest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf34
-rwxr-xr-xtesting/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf34
-rwxr-xr-xtesting/tests/swanctl/net2net-start/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-start/pretest.dat9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/net2net-start/test.conf (renamed from testing/tests/pfkey/shunt-policies/test.conf)2
-rwxr-xr-xtesting/tests/swanctl/rw-cert/description.txt6
-rwxr-xr-xtesting/tests/swanctl/rw-cert/evaltest.dat10
-rwxr-xr-xtesting/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf32
-rwxr-xr-xtesting/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf32
-rwxr-xr-xtesting/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf30
-rwxr-xr-xtesting/tests/swanctl/rw-cert/posttest.dat8
-rwxr-xr-xtesting/tests/swanctl/rw-cert/pretest.dat14
-rwxr-xr-xtesting/tests/swanctl/rw-cert/test.conf21
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/description.txt6
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/evaltest.dat10
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf41
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf39
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf41
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/posttest.dat8
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/pretest.dat17
-rwxr-xr-xtesting/tests/swanctl/rw-psk-fqdn/test.conf21
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/description.txt6
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/evaltest.dat10
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf40
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf39
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf40
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/posttest.dat8
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/pretest.dat17
-rwxr-xr-xtesting/tests/swanctl/rw-psk-ipv4/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql2
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/description.txt22
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/evaltest.dat20
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql29
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf31
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/posttest.dat8
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/pretest.dat18
-rw-r--r--testing/tests/tnc/tnccs-20-os-pts/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-os/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-20-os/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql4
-rw-r--r--testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-os/pretest.dat2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/description.txt (renamed from testing/tests/tnc/tnccs-20-pdp/description.txt)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat (renamed from testing/tests/tnc/tnccs-20-pdp/evaltest.dat)25
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default26
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf)2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql61
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini19
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf)13
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf)2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf)19
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf)2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf)20
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf (renamed from testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat (renamed from testing/tests/tnc/tnccs-20-pdp/posttest.dat)2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat21
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/test.conf (renamed from testing/tests/tnc/tnccs-20-pdp/test.conf)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt (renamed from testing/tests/tnc/tnccs-20-pt-tls/description.txt)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat19
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default26
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf)2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules)4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql)4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini19
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf)15
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options)3
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf9
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options)1
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf)13
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config (renamed from testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat (renamed from testing/tests/tnc/tnccs-20-pt-tls/posttest.dat)1
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat (renamed from testing/tests/tnc/tnccs-20-pt-tls/pretest.dat)12
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf (renamed from testing/tests/tnc/tnccs-20-pt-tls/test.conf)0
-rw-r--r--testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp/pretest.dat14
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat12
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf25
-rw-r--r--testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt15
-rw-r--r--testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql2
-rw-r--r--testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-pts/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-20-pts/evaltest.dat16
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql2
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config1
-rw-r--r--testing/tests/tnc/tnccs-20-server-retry/description.txt9
-rw-r--r--testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-tls/description.txt9
-rw-r--r--testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf17
-rw-r--r--testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-dynamic/description.txt1
-rw-r--r--testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf1
345 files changed, 6585 insertions, 925 deletions
diff --git a/testing/Makefile.in b/testing/Makefile.in
index f9acc24ad..ced07a413 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -179,6 +179,7 @@ NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
@@ -197,6 +198,7 @@ PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -224,6 +226,7 @@ abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -315,6 +318,7 @@ srcdir = @srcdir@
starter_plugins = @starter_plugins@
strongswan_conf = @strongswan_conf@
strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
sysconfdir = @sysconfdir@
systemdsystemunitdir = @systemdsystemunitdir@
t_plugins = @t_plugins@
diff --git a/testing/config/kernel/config-3.15 b/testing/config/kernel/config-3.15
new file mode 100644
index 000000000..84f71da54
--- /dev/null
+++ b/testing/config/kernel/config-3.15
@@ -0,0 +1,2083 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.15.1 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+# CONFIG_EXPERT is not set
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Host Driver
+#
+# CONFIG_INTEL_MIC_HOST is not set
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_INTEL_MIC_CARD is not set
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+# CONFIG_SH_ETH is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_ACPI_INT3403_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO_TPKBD is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_SAMSUNG_USB2PHY is not set
+# CONFIG_SAMSUNG_USB3PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_PHY_SAMSUNG_USB2 is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/do-tests b/testing/do-tests
index becb7f181..35f13ec5b 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -491,20 +491,47 @@ do
do
eval HOSTLOGIN=root@\$ipv4_${host}
- for command in statusall listall
- do
- ssh $SSHCONF $HOSTLOGIN ipsec $command \
- > $TESTRESULTDIR/${host}.$command 2>/dev/null
- done
+ scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
+ $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1
- for file in strongswan.conf ipsec.conf ipsec.secrets
- do
- scp $SSHCONF $HOSTLOGIN:/etc/$file \
- $TESTRESULTDIR/${host}.$file > /dev/null 2>&1
- done
+ if [ $SUBDIR = "swanctl" ]
+ then
+ scp $SSHCONF $HOSTLOGIN:/etc/swanctl/swanctl.conf \
+ $TESTRESULTDIR/${host}.swanctl.conf > /dev/null 2>&1
+
+ ssh $SSHCONF $HOSTLOGIN swanctl --list-conns \
+ > $TESTRESULTDIR/${host}.swanctl.conns 2>/dev/null
+
+ ssh $SSHCONF $HOSTLOGIN swanctl --list-certs \
+ > $TESTRESULTDIR/${host}.swanctl.certs 2>/dev/null
+
+ ssh $SSHCONF $HOSTLOGIN swanctl --list-pools \
+ > $TESTRESULTDIR/${host}.swanctl.pools 2>/dev/null
+
+ ssh $SSHCONF $HOSTLOGIN swanctl --list-sas \
+ > $TESTRESULTDIR/${host}.swanctl.sas 2>/dev/null
- scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
- $TESTRESULTDIR/${host}.ipsec.sql > /dev/null 2>&1
+ ssh $SSHCONF $HOSTLOGIN swanctl --list-pols \
+ > $TESTRESULTDIR/${host}.swanctl.pols 2>/dev/null
+
+ ssh $SSHCONF $HOSTLOGIN swanctl --stats \
+ > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null
+ else
+ for file in ipsec.conf ipsec.secrets
+ do
+ scp $SSHCONF $HOSTLOGIN:/etc/$file \
+ $TESTRESULTDIR/${host}.$file > /dev/null 2>&1
+ done
+
+ for command in statusall listall
+ do
+ ssh $SSHCONF $HOSTLOGIN ipsec $command \
+ > $TESTRESULTDIR/${host}.$command 2>/dev/null
+ done
+
+ scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
+ $TESTRESULTDIR/${host}.ipsec.sql > /dev/null 2>&1
+ fi
ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
> $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
@@ -515,7 +542,46 @@ do
ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
> $TESTRESULTDIR/${host}.iptables 2>/dev/null
chmod a+r $TESTRESULTDIR/*
- cat >> $TESTRESULTDIR/index.html <<@EOF
+
+ if [ $SUBDIR = "swanctl" ]
+ then
+ cat >> $TESTRESULTDIR/index.html <<@EOF
+ <h3>$host</h3>
+ <table border="0" cellspacing="0" width="600">
+ <tr>
+ <td valign="top">
+ <ul>
+ <li><a href="$host.swanctl.conf">swanctl.conf</a></li>
+ <li><a href="$host.swanctl.conns">swanctl --list-conns</a></li>
+ <li><a href="$host.swanctl.certs">swanctl --list-certs</a></li>
+ <li><a href="$host.swanctl.pools">swanctl --list-pools</a></li>
+ <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+ </ul>
+ </td>
+ <td valign="top">
+ <ul>
+ <li><a href="$host.swanctl.sas">swanctl --list-sas</a></li>
+ <li><a href="$host.swanctl.pols">swanctl --list-pols</a></li>
+ <li><a href="$host.swanctl.stats">swanctl --stats</a></li>
+ <li><a href="$host.auth.log">auth.log</a></li>
+ <li><a href="$host.daemon.log">daemon.log</a></li>
+ </ul>
+ </td>
+ <td valign="top">
+ <ul>
+ <li><a href="$host.ip.policy">ip -s xfrm policy</a></li>
+ <li><a href="$host.ip.state">ip -s xfrm state</a></li>
+ <li><a href="$host.ip.route">$IPROUTE_DSP</a></li>
+ <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
+ </ul>
+ &nbsp;
+ </td>
+ </tr>
+ </table>
+@EOF
+
+ else
+ cat >> $TESTRESULTDIR/index.html <<@EOF
<h3>$host</h3>
<table border="0" cellspacing="0" width="600">
<tr>
@@ -546,7 +612,7 @@ do
</tr>
</table>
@EOF
-
+ fi
done
for host in $RADIUSHOSTS
@@ -653,7 +719,7 @@ do
for host in $IPSECHOSTS
do
eval HOSTLOGIN=root@\$ipv4_${host}
- ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
+ ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv|pt-tls-client' \
/var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
done
diff --git a/testing/hosts/alice/etc/swanctl/rsa/aliceKey.pem b/testing/hosts/alice/etc/swanctl/rsa/aliceKey.pem
new file mode 100644
index 000000000..51f9c0d92
--- /dev/null
+++ b/testing/hosts/alice/etc/swanctl/rsa/aliceKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2I1qSBHmly3Q2qKt88kRv17dhmRge+pn9FQnoRr1kYTwq5DE
+YAe4tapp//casv8tgizV9MnslM0y749J5zyR/0jkDEi0/Nv65LAj2FdDGGU0nxX5
+mOz1DcZf/n3BLcNwcXiLxvzwj9/tosbAc6hHJP9Rk9c8YisdL1RaH/nT/9D8Yut6
+K+hbrkJ+Pug2LfAxNjBkHkzI9jmr0xFxjIQ9rQY0zQbPNh8gSRDPye5Iv+pZCuYu
+aVLoq3DkvcdexRoqKca3TEjuMsZaHjKyeuMw3ErNG3YshOpI+2hNNHYkHprn/rnj
+iYHYUYSulJ38uAZObDM6CWhkumxCCw3rGOlS+wIDAQABAoIBAFh3/ZGP7pqYlxib
+GWHdJSj/gpTi8R/utaV1s/L3ZpearhAJRpDM1sMw6bkupHO4GEl0M7ybudFYu5Ru
+/4w+jI60oqX6FiavYCKJazt4+uo+fm73tU6qj7qe7pyzl3YwwAE7dC9JKqY8n4K+
+m+UkPFx7CkLRzdN1NakeVut1TwzU/cUtAV8iY1yEtw/KyiyL/I7aJ3zZ1pg+5kRS
+JLKDrRlf0xQ+I7AY12XrSimbLqxmyVmWq74Fm/YAWGgvi/Nx04Zg/C4wp4A+izFt
+N8zWjktY1brRrCnRfUEcevv5hPqFxfOPFmB9x7mX/8eH5v2T+XR9swoF92xWHxQ5
+7tcB4NECgYEA69dBy4God5TW1FyT7DbgKHd7BVtOVLjsbQxc8UNBN/mHemUGMs1v
+lemW0ZPddU2/rqd3jlZuP4zv/6D9OZ0omi8auejO2WwAbut6JBX+dlvF9+owyU3h
+CraycFaxZIMn+JzXbIunmVUrVE1QvpBFaNXlC47cO8CmQlMV0nChzZ8CgYEA6xAV
+F1L0iqISsCu0q1iM4LtHVT944o815B8RlREOPxROXJaJQ8phVQgT5PXRkHZDn55Z
+mKqkAX2KwjBQj0KfUvmJ6D8T6OZOe08/oSwiBrBpSQsH3AA7mmDXyT3gRsma0jnj
+cNGjecG9VXbJiZnBetGdLuvSnVYfdkcw4atthSUCgYEAhaFMaJEo8cjmCSIDtt5J
+GOTKUfiwY5T8cbWFnDatZ5f9yb4gSvzYcysOB+Yun17Uc5P0TDRw95VWD5Qap2CD
+NwnlrN1bBxsJC9BlPrkvm8TYYWbTCd0U3Es0xC57CSa/qUDFV32yE1GM4ZGFZNS+
+X26C/4+M/lZkXkRRoxGqvKUCgYEAugOyDRESf5qeG1ea03Vxlm3dlzJxYShfRzTm
+3wXuNjDFijN+UG0Y9Qc9ZxS4UA+ml+vhjxSKULueUOmW9qeMGUdrwKQaB1YpiR8/
+hTW9f3me97SI9aohgJteZ9xVXO8xW2d/+smLClEsmTM1bXSFTcIPFxB7TRLYNutD
+XXIhaxkCgYBEQECMTKNZcGf67fjmA6PMpMGlwbVGmyXYYK4I+IRNUFWyrpNalmr/
+LXj7m1EYcx4BK7BrpDUgnm8q37BAwYOioLJFWLK58iW1B+Qvg6jlwnr+ZaYhZx94
+D/SL9GuQQTQtxlFex4Wale7R8xNdt7xuVJD6pE3mFVkXN4+OrI+EWQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/alice/etc/swanctl/x509/aliceCert.pem b/testing/hosts/alice/etc/swanctl/x509/aliceCert.pem
new file mode 100644
index 000000000..49fe4b80b
--- /dev/null
+++ b/testing/hosts/alice/etc/swanctl/x509/aliceCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBGTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDcyNFoXDTE0MDgyNjEwMDcyNFowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANiNakgR5pct0NqirfPJEb9e3YZkYHvqZ/RUJ6Ea9ZGE
+8KuQxGAHuLWqaf/3GrL/LYIs1fTJ7JTNMu+PSec8kf9I5AxItPzb+uSwI9hXQxhl
+NJ8V+Zjs9Q3GX/59wS3DcHF4i8b88I/f7aLGwHOoRyT/UZPXPGIrHS9UWh/50//Q
+/GLreivoW65Cfj7oNi3wMTYwZB5MyPY5q9MRcYyEPa0GNM0GzzYfIEkQz8nuSL/q
+WQrmLmlS6Ktw5L3HXsUaKinGt0xI7jLGWh4ysnrjMNxKzRt2LITqSPtoTTR2JB6a
+5/6544mB2FGErpSd/LgGTmwzOgloZLpsQgsN6xjpUvsCAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQF2gQgjAL0KEcKz2x3LQZm
+E9qGPDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBWv4PhHGVpiLF5M3Rn
+qQLSoRFjKqn3N9We81RWwVRpBzwoUEaHizelaVct9FJg6t7Fk/D8F0wag5EFKlcg
+KQ8fd/0qLE393uwGb4Dvql2w49NFFDUsk5FC+pMUDAYsWHyFu26WKY5kfaMwNMNJ
+HK6e4m6+Wmoy5ulkatwDJRDqkyG11YJ/p0n0HAG1DBJoL9079U+xQxT+9a2f7TaO
+B/UbQNOvOgqaddk5uUDTjqnY/bltbAAuuI1ZNMrPCCNUorcdhySJb1tlF/JXTTB6
+N60XqYRYnk5T1yftNU0AA26ggskv4MMDwgYCGsyZuCX9vW+XsArRQJ5fsSZDiO7R
+8FT2
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/alice/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/alice/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/bob/etc/swanctl/rsa/bobKey.pem b/testing/hosts/bob/etc/swanctl/rsa/bobKey.pem
new file mode 100644
index 000000000..e74392bce
--- /dev/null
+++ b/testing/hosts/bob/etc/swanctl/rsa/bobKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA18MU7aM5sSmlIQtE+R78VUoXzOY0ECsCM0lQGXl1KQYENri0
+/R5/ye26GlCBNV39dcwkSJXMuV5LqYWtoH6hJkW3n2ADq/zRbguKTxA3iY1oP5og
+maPfwx9olrwr1OBgnK2Pyyg3g6Ci/X3PR+RU7QP2NboG6KDjtcqFdOHqLTJr5mHK
+lLQl/ofzn/cTNMNJumqAyFwIY3ChDzIP1i+WnFrlVWljjWvsex6EFA3vvTIKAdVZ
+mqAe+1WGiu9owYW76JxfBoxG90YrpH7jCDpOcjfTh8wPTgyW0w70ppkJLYf6BBwC
+/7czkNs4xKbbCr8Kv93axm3URDv3Kd/SOf2URQIDAQABAoIBAQC/GZwptk5c6ePF
+1rNqatVXvV5DLwmh4FX8ksyNI5Rvl1KYHRTAtAi/Ev2oXPF0ESFy+jKQz40aCbi+
+FxZndoDI4yr10BaweCYOb846pMRr4oEZBCwnqIuByQnbqCKyU2F+pAMeDyrMPLTg
+DFRQ+p11p/KkN3XzCL1mwE9f7NB64fIwIaoAPb5EzELq3SXbBn1MCDPcvZEeyqUW
+jW9OGe2hmen7Vk7JLE+2XU6Wyo6X4RWkj2lpOxofuxff4pI+xoiWmZxV93FzZoCo
+R55TP0AtgyRUQyRrSgSV8T34sZI79ZBt1N6JBdnOl8sl4niQu5laBKJGKWnEiiPE
+w7vUmHLBAoGBAP45AScORw0eb8K4Xy1UAaWZnSzN4z35QxkjelQ05Hkd9lrpwRBz
+Us2Yo35spvaI+/sYmnYC6vdnFRTdhVfHY4uTyODWOawhMM1mnWoRo0MohCyBBOjZ
+XGeOROWV4uGld6dLj4zoKfDWyw2y9ChT8kxidSmJajxese6DovTv1ov5AoGBANlF
+PgRyOCUZK5I1XTzkbt4GMUrRh3gAnTM84enjJHtxo+IZuwhVA8wgfl6k+LXAP49k
+si3HnmsAAezqFJOapbBf9zZSCTPTYDFk9qyu8TXw32K48obhb3Ns80Ba4sqVCixo
+K3NpOE5OaNxEdBHmi39RJf1fyUNZ+u+cz4xXdiWtAoGAChXo3cvLNdIHTQpTfFDg
+39kAS06/vS2uY8jsiXqvtb5ij6jGaAirOEzd754P4af9lzCasCPdfoMwaut+5sSa
+RmdOiNz23MVUUlHH3PVmLLvmwn073KEC8XjLcvBHV/xgitqMj2KGh29+DsUSuqbZ
+7f3Z+BPjixGWrYe7Z0w8jsECgYEA1a/MNwM/RP1kZQAnG2Rvxd3BTRyWZ+fytBoE
+9st3bhFuZUl5MdCrU3AB2YPXOKpD2PvoYi4aGJKBUklGw4UtwDIiKUK12kriKLJs
+CZplke+9RJMxtIaz3oohFAJPW38J6nLpiTDLN/jWGQ0aOyDLwgRFoNU8VQmCS3em
+iRjcEmECgYEAgyrUsD+qScWzS3GvkZITcy20+iCVfxXH8ZznNVHGFoFZ+3uu/kH+
+u0yXPXPux2t5P2+Ybm4ojV09/QWaJgHVoL7PBiyk5AhXO0A1EK0NG8uJeYaMthJk
+D6RrYXqdmKrSEDTh2DvE6W149sRgO2Z3b0FGgzjYjhSFF/ePZxAFiIQ=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/bob/etc/swanctl/x509/bobCert.pem b/testing/hosts/bob/etc/swanctl/x509/bobCert.pem
new file mode 100644
index 000000000..00ecd5a2d
--- /dev/null
+++ b/testing/hosts/bob/etc/swanctl/x509/bobCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIBGjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDgxOFoXDTE0MDgyNjEwMDgxOFowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDXwxTtozmxKaUhC0T5HvxVShfM5jQQKwIzSVAZeXUp
+BgQ2uLT9Hn/J7boaUIE1Xf11zCRIlcy5Xkupha2gfqEmRbefYAOr/NFuC4pPEDeJ
+jWg/miCZo9/DH2iWvCvU4GCcrY/LKDeDoKL9fc9H5FTtA/Y1ugbooOO1yoV04eot
+MmvmYcqUtCX+h/Of9xM0w0m6aoDIXAhjcKEPMg/WL5acWuVVaWONa+x7HoQUDe+9
+MgoB1VmaoB77VYaK72jBhbvonF8GjEb3RiukfuMIOk5yN9OHzA9ODJbTDvSmmQkt
+h/oEHAL/tzOQ2zjEptsKvwq/3drGbdREO/cp39I5/ZRFAgMBAAGjggEEMIIBADAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUYUK/uIcou7BS8ODHk9Ro
+PGJP1FcwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
+b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
+c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAEIkmrK7GPm4H/FAEVCN
+775XpuofsfGjT/bO/aPCqb+uPwwcKeUfxzICQDEqMv+mtxGuLjtfmTWwUcoPMgN+
+2HZDJGa1+kK2VLUz3QBIQXSdusbITb0ND/xCvbGwsk9y/0DGBnAo3xNBNM73ZQ8k
+/A7mQ2nnQfzI9gQ342FOuTTb/kwrVNixQI3dhvf6Th5Dj5rZfQs6c09+9jRLGBFx
+g7qQ1gej0fi6XYX4cSNwluu/Vo6xT5epEeTU5KoYn0mtOqFx6AY8xzIqQLvY4m8g
+viGoGRqId1gqNiEfshb8KICPI29WyiBRzMKO6reeb+446A9CSLgMW0Ze3SCRXrjr
+2nQ=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/bob/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/bob/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/bob/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 000000000..ce17e7111
--- /dev/null
+++ b/testing/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0F1ZT4EXvHiXKj7EeevhQA5Tz3JBC5Pm90+hfPHqRE+yNgC6
+6S2BdH5JouRAfD9hGAM9IqPmfOaaU5B/+tZGv7w7ar4L3ZpQgKaQ29kZqajnDZaU
+4xnpPl2TYe/5AzrFP8bNbJWvV0xi7/u3LAPUHDtpb8eqRERIO7qr3lVa74vODpeX
+EI0R7PRixms398LoEvarMoCowFsgcVbw46eH6cRjggXkDORmcWvDXYYjvZnzzanD
+3uXIrBmFLP8YxAUEnH6uc13Dk/UgnBOUbk9R2gMK178xyvWKID7M6i/HnnHUagbF
+26hdZTl6Ct/Uy1qVF/09zxevirdYQpMCaxmtUQIDAQABAoIBAQCKhvVgoS/Zssa1
+ZGOVt1fbEWtxCMHr45nzpDJ18hPQ9LdDpfqeGg3uGCP2sw+YSz7PCyAzDoqnUV0a
+33/mkV0aDhfmoJEc9II+9f5q24xvOobahtlXnxttxiK9QyDnn8QR4acjYOThAjzo
+1g3yqlzzpCA2G6W8mzT22OV4/IBnrvRX/ypakffHyKTyQsxGqxz/GNbRpNi4K1eR
+3x8YoEuMstojXDp5WQD6f/u8tLHQeaUEZzeU7spedcjBatJViWVFNRX1cYC43FGH
+EKqHTNO83t3xCdW1U8J6NRQ3+cG834lA8/+GMt1Z9sjgEQe0u/ScbFQJtunssp6t
+ozOAD6XRAoGBAPVTcEXQZ99NeG32fhz+oBzjym3j8Gvkjv2LTcSMHsGacRADh17i
+AjQ8hRyPlw0hYKLk0RCNpkN69rzProA/YfxFBYKomqCQbLpl/HAzqlhMGioX6Wsv
+NolRrtqlJh9uHBSZnPp/TECRiQ7/KBy05vNyCfS21XeGB8rsoKFRN3RtAoGBANlu
+N5ultO1gTYSn7XFnih8jORt0mmlyib077l0XmFr4kmT17DXT43seRNb9r+yKeK4Z
+ngu2gPWfmAC7iUulsx7pZPPdwULzYYNc9Joe23UzD0TzPCbFbgdSrj/g33YIOLZD
+e5mhMctUTWTamWuvO8P1cJzHXxNLBIzeu/i+0aX1AoGAF+LY4qNJCc/0Mti2LMKJ
++mYfdpWj+g1V8s/WcZWnBPixm3qMequMxWNDHqXIcknWq+WViYQRNS7KyVV7Sxdg
+xfw+bhtWet21CG0XqCEPq+s0/PY5DuuY5sPiP32m+ZZx+3t9clJkrUC+VIx5bloa
+xodK+t22aR3Osm5ZsXtD5/0CgYEArJDLVZ8In7VlELnuu6i/eMMN2fqLatFa/HOK
+VRwa8WiDV9nOpVIMI3T8kd06OPQVn6f5RbaNV2RY0YwGBaH3LbtzQhFoB2j+pbGq
++H8xEi16GvEpdmQPVYSLg2tIL3eK+y1H9cB3sravzjGovkyPlJFB1Uxu6vMJI3zL
+lzprTdkCgYAl7EF4x/fAF8Rqk/vbcuLjsZmuM8n6aDT4G3W0gc1nVhJMdEyCGxJr
+B+qYUtxY3kDMh/FgIJ2K87S6xIYneNPiHL/fzbv6rYkRUA9DpDBBuI7vsnxmrf/+
+ucit2V0aTtBfC9gaTtp5/UoIhaSjutDc3ez4NAHBnfch1sxxY8QSXg==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 000000000..6c41df9c7
--- /dev/null
+++ b/testing/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
+6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
+Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
+Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
+I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
+x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
+tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
+GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
+ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
+F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
+L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
+ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
+Rf5Z0GOR
+-----END CERTIFICATE-----
diff --git a/testing/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/swanctl/rsa/daveKey.pem b/testing/hosts/dave/etc/swanctl/rsa/daveKey.pem
new file mode 100644
index 000000000..c0a5b42d1
--- /dev/null
+++ b/testing/hosts/dave/etc/swanctl/rsa/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAwAfyU28FWOaDRdPvAXoXW3NDTnl/m5dEjnIKWYWup2zAUDuN
+Y7TiOa+V24PbCvZfg2Dp2UGRLBISFWQ6CvMhiPxSBBPoFkX/ji5iPJNivhtXZJUw
+v1T9rWVjEGEFrOlJ194olaR3HCNwkKqiVnvX2bCLKtCfY/YbuofXRiBG6J+kVwyz
+yOQyIiCnN69IwxzQ7CFA83I7lHQsShQjLh1An2tTwYqqY+aT+l09BoCOlI24JzVj
+0z29msROz9ceYEJlcIhYmLPlU4dn6vTvcTcZ5/2Jsy5OP2DZcu8WF0N9TboUr0aR
++47CdaeFUrrp2Kr3HD1CrKeT7wrQnhrzU9qrdQIDAQABAoIBAQCB4t4dYPKU9xXD
+nV4D+bjiukvEQJn3e5F7Z9doReukgwJxQlaYIjkCG6mZGM6H0603B84kjRzMWkyw
++2HnFhyQs1omN/C7YA1C9kyr/GTFgWjTN7YJNEuBhRpEcduM4R55TGLXFK8b8Tyq
+HUBAjvOo4qi/BO1Kh6Spvkf1vs83d9clTParD/Tz4QkjUzR5awMKHgOVGgrmTiJL
+Miao6ZF0gl6qh377xc3gzQdWh6kIb2RWVL2lR/iSdDP47s2ez8ubMO1v9mu05bc0
+H5YmCVeY4nkzjlVARdCuPulKHxBkStiPEOfnGZkj1F1fjfIoOFnD9MQSYkJuZUoE
+6JWiG7QBAoGBAOouYy7W0xRlXGTrahjU9JL+o3nKCRQmvX84Hxy9fx95tz1pS5U4
+7Gk7JFmS9qKhspInnblpjqxA5D3zqoO2gspatg7QfQJpLhbGXLqR7pqp92jbK+mh
+4KITqTZRpohtzTWqPxFupzKHo5qDDMJ3m8ArnIVmxM+M0lzpn6Awq5ZVAoGBANHs
+NR2voz//E6ZMSpgKb2l3NecFwdwqQQtzghD0wFnNBYV55DJNRuW7DB5t9EdtGgAg
+b2bPG+I2RdsZPGnL0EU5+H4rP0YXBGAxoVdaFqjnG5mIRN8mAdnWeVhCH3XBmUP1
+OFe1aghYMyC0ioXe8Vt1yaxeSiMjY4JKtma2DKChAoGBAIedv4CDlg/Mt1oWXwXs
+ZYqu/nrsPp+1463GEXZyYykWMsDUtpm/MmGqh118V2pNW/16BcQ3VhF5LvSVpNzM
+GCgZqi8gHBUGVlOIInFFS7mzznyh2GdfgJg77JVxaZC+jcWTRxzQSPFhTaSQWhZQ
+cBk06Fr07esIMVbvUKrTJLtVAoGBAIFCMsqetaTYSZ8iZuQLuOJ19wjTsLUCh56n
+dzU9n5sr9PRlQ6/9iWQ3spSiG8JHWbUuQ6pIaOD3jjgE6AA08X9O3MXDl2hvD9Cz
+fqcs37sM4x+8mrvUyVr7ByjjPj/h/5+qxRCssieFN6YxxQH9bxxkANRUEs5kIge+
+PWYtPsVBAoGAVako4J2YAfaD67Yl5u2XOWrBzVWzWNeqBsiAF1nCpR1RfeH4jFN/
+Uy/qbPVjdm14GNwd5wtI0xwBAsrTVit78DoxC2MUKMIuq9xVVakKX8UxBmCnldkW
+uhtXwJWH9pfQncCSrEaecfDkL8YVPDX/4XeJjqHpKqbyjTuGv+MK1Yw=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/hosts/dave/etc/swanctl/x509/daveCert.pem
new file mode 100644
index 000000000..f212e19cf
--- /dev/null
+++ b/testing/hosts/dave/etc/swanctl/x509/daveCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
+ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
+k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
+IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
+gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
+Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
+8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
+jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
+DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
+8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
+StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
+qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
+1PdgEy1K
+-----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
index 75a8fdd2a..bcb766aa1 100644
--- a/testing/hosts/default/etc/hosts
+++ b/testing/hosts/default/etc/hosts
@@ -12,7 +12,7 @@
10.1.0.254 uml1.strongswan.org uml1
10.2.0.254 uml1.strongswan.org uml2
-10.1.0.10 alice.strongswan.org alice aaa.strongswan.org
+10.1.0.10 alice.strongswan.org alice aaa.strongswan.org tnc.strongswan.org
10.1.0.20 venus.strongswan.org venus
10.1.0.30 carol2.strongswan.org carol2
10.1.0.40 dave2.strongswan.org dave2
diff --git a/testing/hosts/default/etc/init.d/charon b/testing/hosts/default/etc/init.d/charon
new file mode 100755
index 000000000..f372fb0d8
--- /dev/null
+++ b/testing/hosts/default/etc/init.d/charon
@@ -0,0 +1,156 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/testing/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/hosts/moon/etc/swanctl/rsa/moonKey.pem
new file mode 100755
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/hosts/moon/etc/swanctl/rsa/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100755
index 000000000..d5c970f41
--- /dev/null
+++ b/testing/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDMzMloXDTE0MDgyNjEwMDMzMlowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
+L2M91Lu6BYYhWxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+
+SWKGlm11rPE71eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yY
+YpHk8VQv4vBJTpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+
+7TDnYaVsAtncgvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3
+Om/G48crLEVJjdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVb
+A6agGlTXhDCreDiXU8KHAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDqDAdBgNVHQ4EFgQUapx00fiJeYn2WpTpifH6w2SdKS4wbQYDVR0jBGYwZIAU
+XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
+ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
+AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr
+BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCctXg2xeMozaTV
+jiBL1P8MY9uEH5JtU0EceQ1RbI5/2vGRdnECND9oADY5vamaaE2Mdq2Qh/vlXnML
+o3ii5ELjsQlYdTYZOcMOdcUUXYvbbFX1cwpkBhyBl1H25KptHcgQ/HnceKp3kOuq
+wYOYjgwePXulcpWXx0E2QtQCFQQZFPyEWeNJxH0oglg53QPXfHY9I2/Gukj5V0bz
+p7ME0Gs8KdnYdmbbDqzQgPsta96/m+HoJlsrVF+4Gqihj6BWMBQ2ybjPWZdG3oH9
+25cE8v60Ry98D0Z/tygbAUFnh5oOvaf642paVgc3aoA77I8U+UZjECxISoiHultY
+7QTufOwP
+-----END CERTIFICATE-----
diff --git a/testing/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100755
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/hosts/sun/etc/swanctl/rsa/sunKey.pem
new file mode 100755
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/hosts/sun/etc/swanctl/rsa/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100755
index 000000000..d0937bab8
--- /dev/null
+++ b/testing/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBFjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzA5NTkwNFoXDTE0MDgyNjA5NTkwNFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+V
+VIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqqrQ3X917h7YNsSk68
+oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5mimv/prYj6o0yawxoPjoDs9Y
+h7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/4
+9YuxQ59DemY9IRbwsrKCHH0mGrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4
+e0da1ntPCEQLeE833+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb
+8WNzRWB8Egh3BDK6FsECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBRW1p4v2qihzRlcI1PnxbZwluML+zBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAo37LYT9Awx0MK/nA
+FZpPJqUr0Ey+O5Ukcsdx7nd00SlmpiQRY8KmuRXCBQnDEgdLstd3slQjT0pJEgWF
+0pzxybnI6eOzYAhLfhart+X1hURiNGbXjggm2s4I5+K32bVIkNEqlsYnd/6F9oo5
+ZNO0/eTTruLZfkNe/zchBGKe/Z7MacVwlYWWCbMtBV4K1d5dGcRRgpQ9WivDlmat
+Nh9wlscDSgSGk3HJkbxnq695VN7zUbDWAUvWWhV5bIDjlAR/xyT9ApqIxiyVVRul
+fYrE7U05Hbt6GgAroAKLp6qJup9+TxQAKSjKIwJ0hf7OuYyQ8TZtVHS7AOhm+T/5
+G/jGGA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100755
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/venus/etc/swanctl/rsa/venusKey.pem b/testing/hosts/venus/etc/swanctl/rsa/venusKey.pem
new file mode 100644
index 000000000..0477f698a
--- /dev/null
+++ b/testing/hosts/venus/etc/swanctl/rsa/venusKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAs0UsstkyjuvNkpx/vmZlKpBITJyGmfTfFjl01uU4dUVwzE3y
+hllGPLN3ijLSteHP3opUbDNd5dG4eVsa9DUiqIJlk/g+tnKS5IdQbA6yUf1nIHr3
+9tVukOtX66sMeHBU+M46KD7r4RRrGSBYT1FsyIv47D2uk24nBZ7Sf2+LoVQZfMIV
+dydIGfHxmQJxymzS80mh57EN2y70oH9HMwn/bbGb8WrysN09WVbNbT2vdeYX3OJX
+i0xsmT/Ynev1VD9B2mbA/XCf4c45xFL1HxKQ/+RTlmY6z6m4rBFuFGCscLPba5g2
+90mXqrpMSpuWUagIRZmOaeoyd3x25qbYwNe5QwIDAQABAoIBAC9F9I2NHPn3UJRy
+1HTfB5p7xbT+Kbh7jECOEjOA6qxyDVayz1uCOzVSlhlJYas4ytoCXFTUDtTFwwGt
+dqQjRupsyGCGu/Lcr8O3swtrrLZWPlWgV7ctfSSWCu9IgddYt++MYmWuggEuozdT
+AjaYYDlaP9/8PAcAqyWeRh/4yDdYRpEHshePE/uZaIDH1xgQ72v8Ks6fnz3sTYK6
+dJZfZ2EMUS2CsdbqYX+X7CSLkM7FVs+O0xFz00AF7xyfID9RP+nSGkPny60/O5Vk
+qO3dC1pXCs3aAXlTUBsP0aHWHFHXIIfJA95fQy0V7gqDxXHRPRInlFdERYkebM4S
+ctnfxYECgYEA6vFH8Vzc9G99LIZGX2EfODfwJ62TzDPOgqubUMpQRqydTxA9GaPG
+KyoF7GEYK3K8sji/uH1qcogUS46vXNcvm5xe7B5OPgfTLF6tfMaVeBvA6PfGOirx
+qzvrFDTp+DdInOOO9KwvVULKvWtIehSIT12EjKXPxnMCh/vTN2ngg2ECgYEAw1aA
+Z7iBrOPSTFf3S+rMgEMSv3s578YTg6hlaNfDvTEC9zQEDg7k4MxffRyBKLqidLUl
+ZZrcTszdO25c56w7xjFwcLwlFZuaoulFn+ON77/eudtCAjGjnmxUQuruzmoh8YyL
+zBB0oEGzm4u46BK3/ODIzQxpZL0MUUTXliLfoyMCgYA5KwrxfUI6rGJOEkJPdSeO
+m3XxgbgkCTsn6q/5YbFU8S26Dl5/va071ZbpZNrnv5yQ1WQ5dTMQuXIOzKJ5OddY
+yx0B4YHycB7/fe5DHWNDfaVcSuZOQyLZItRZ72I7RuCBZJHlkXxXB9CjdNaG9jYQ
+8dWOD87WICguhKVpp3a9IQKBgGLZByl1iMmAkA7qBM56Bvpw9q/HH85iIcXiFU80
+wGygvKtzuwmSJ+hKA5hAMGv35fXBJSeBcjK+IMXOV101HxpwMkIaM3n3wAzolr8O
+W+kS4xaSCZkqnW2xzAIA+M+jjYG6aZPeT+Y42TbBQdTOhCSHa5W3zi2YLP+DIsVq
+6FiZAoGAUGZttRZOFMZ1paEKtJzvbf7bYNkqW1iIY5AVAN84g4AEJ3910WHxXh7+
+uFWyBU4fUy0Qgk9HihSRbfnq2lvwNNWUeMQmt8t1WpEGUDT6FH4LoDD3fvHbmxY0
+y5QBbDvalkeIe6ESdW1uhLzxCzCRZSkANtMfiVCKvQOOBjxbfeo=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/venus/etc/swanctl/x509/venusCert.pem b/testing/hosts/venus/etc/swanctl/x509/venusCert.pem
new file mode 100644
index 000000000..c383667e6
--- /dev/null
+++ b/testing/hosts/venus/etc/swanctl/x509/venusCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBGDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDUyMloXDTE0MDgyNjEwMDUyMlowRzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
+LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+s0UsstkyjuvNkpx/vmZlKpBITJyGmfTfFjl01uU4dUVwzE3yhllGPLN3ijLSteHP
+3opUbDNd5dG4eVsa9DUiqIJlk/g+tnKS5IdQbA6yUf1nIHr39tVukOtX66sMeHBU
++M46KD7r4RRrGSBYT1FsyIv47D2uk24nBZ7Sf2+LoVQZfMIVdydIGfHxmQJxymzS
+80mh57EN2y70oH9HMwn/bbGb8WrysN09WVbNbT2vdeYX3OJXi0xsmT/Ynev1VD9B
+2mbA/XCf4c45xFL1HxKQ/+RTlmY6z6m4rBFuFGCscLPba5g290mXqrpMSpuWUagI
+RZmOaeoyd3x25qbYwNe5QwIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA6gwHQYDVR0OBBYEFI9cCmyxR/wbUXCARuBjbHpUAS1nMG0GA1UdIwRmMGSA
+FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
+ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
+ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
+LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
+DQYJKoZIhvcNAQELBQADggEBAK5Pi/g5Y234tEcTFWE0Vdg4cKxIfZRewFOOZI1z
+/RWfzoqPZ6YzD15B1toKZrAGsqyhdJ4yQ/BwxJpdgNCscMelkzMubcLXL9QugPS4
+hz4MLkJR2tDCZA/mFUTEbAQwdNSCxSo/l0vZ5KXUg9y5zZhCWpZiHJBXnz/567wn
+K16J3x9TYtdh4sT+y+0vHgvosUs2srRTkK2WDDxlh9XTch7DZyrLuiRRFrWjc6y9
+ThVH/qQNXwEBq2t9UYjQUVyx77gVQmiLrPU7UjL4IBoZmBNV/VJ10+rmGj1eG1nD
+pgq6oBTrbEsv8Ix7y/MziTB8POj3dKjl2UZmRVBwMbnNqYk=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/venus/etc/swanctl/x509ca/strongswanCert.pem b/testing/hosts/venus/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/venus/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 5958a1347..4b75f4734 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -17,8 +17,8 @@ R 111007105811Z 111017123709Z,superseded 10 unknown /C=CH/O=Linux strongSwan/OU=
R 111007121250Z 111017123712Z,superseded 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
R 111007122112Z 111017123715Z,superseded 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
R 120224075857Z 120315063217Z,superseded 13 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
-V 120425210745Z 14 unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
-V 140406120117Z 15 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
+R 120425210745Z 140414203104Z,superseded 14 unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+R 140406120117Z 140414203012Z,superseded 15 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
V 140826095904Z 16 unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org
V 140826100332Z 17 unknown /C=CH/O=Linux strongSwan/CN=moon.strongswan.org
V 140826100522Z 18 unknown /C=CH/O=Linux strongSwan/CN=venus.strongswan.org
@@ -38,3 +38,4 @@ V 161015124759Z 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongs
V 161015125030Z 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
R 190321135622Z 140322135700Z,CACompromise 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V 190413204655Z 29 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index a6d5a0828..3baf17ff5 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -17,8 +17,8 @@ R 111007105811Z 111017123709Z,superseded 10 unknown /C=CH/O=Linux strongSwan/OU=
R 111007121250Z 111017123712Z,superseded 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
R 111007122112Z 111017123715Z,superseded 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
R 120224075857Z 120315063217Z,superseded 13 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
-V 120425210745Z 14 unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
-V 140406120117Z 15 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
+R 120425210745Z 140414203104Z,superseded 14 unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+R 140406120117Z 140414203012Z,superseded 15 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
V 140826095904Z 16 unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org
V 140826100332Z 17 unknown /C=CH/O=Linux strongSwan/CN=moon.strongswan.org
V 140826100522Z 18 unknown /C=CH/O=Linux strongSwan/CN=venus.strongswan.org
@@ -37,4 +37,4 @@ V 161015124507Z 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongsw
V 161015124759Z 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
V 161015125030Z 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
-V 190321135622Z 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R 190321135622Z 140322135700Z,CACompromise 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/29.pem b/testing/hosts/winnetou/etc/openssl/newcerts/29.pem
new file mode 100644
index 000000000..a4d9812d9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/29.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgIBKTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDQxNDIwNDY1NVoXDTE5MDQxMzIwNDY1NVowaDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzXQSXX8LtY/RlgvQxxCF
+pq787RPVD1HQciKemGkzUcjC+J+3rHBKmPT68Prb/4j9ESYdPqvaI7KWGD7pkAv4
+BWv4rw5iAxKB7bEDSVg5Gjs9vXDifR27Pz8rfsQFo8+O9oYWb7Ah45TNU/B8+Pcr
+Gajv0I7eHUbGJsKlgOOMBkSe3cbQd9jc54iv8AFFfMsh5riMz2+7LI8zaMzie3vN
+aPjsSDcGTB7jDa9bY+ZMbHzdFaDzmodDrZNJOSKTeDp5QTuP/JTPrSCXiIqUEJbE
+IUhWF2P1s8wH9SeW0ZQlw4Z0eETR/c7XQfzdJj7UCmWLJQ//eseoAXNc1DbV6EtJ
+1QIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE
+FGkt9dMYc1d/MRpfoo1q6zzwdBDMMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl
+4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n
+U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB
+FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j
+cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBAEbfq0PDdexYL9OqqD1Q8U0UXIRi3hvruqGM+KW8UbKisRqJJnow5wCYBJLI
+MFC7ze24AcADe0Az+uLdKzClVZ+87i/vMse0dCGxSvKKwUtI9bFeQOourrBEHHRw
+xJJcY9eGlsJoyJXyuT8sEXI+YqAaVDtcAYDa+OjIQNrJeIZDv9t/+1q1wlh0gvIz
+zfndSfL4xEIf+lw1Flvt8BwTx4jDk6QIS4jUO3YtHzrtZ+171/iqmSvGrEmfVceq
+1KOn7zNgh7XHmqE92HU63R9sVu3zjVSzuAMIVDqT5v8qU6T85NJE8ebYXi/RL8ON
+btGZ7+y4Z4CbdkjLZ+Oxtew0nwk=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index f04c001f3..8676c24ef 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-29
+2A
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 9902f1784..f04c001f3 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-28
+29
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index b6b8854ab..956fc93ca 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -17,7 +17,9 @@ INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
-INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev
+INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip
+INC=$INC,python,python-setuptools,python-dev,python-pip
+INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi
SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
INC=$INC,${SERVICES// /,}
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index f7fb1f85c..245fc2524 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -48,7 +48,14 @@ do
execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
execute_chroot "ldconfig" 0
- if [ "$host" = "winnetou" ]
+ if [ "$host" = "alice" ]
+ then
+ execute "mkdir $LOOPDIR/var/log/apache2/tnc" 0
+ execute "mkdir $LOOPDIR/etc/pts" 0
+ execute_chroot "chgrp www-data /etc/pts" 0
+ execute_chroot "chmod g+w /etc/pts" 0
+ fi
+ if [ "$host" = "winnetou" ]
then
execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
diff --git a/testing/scripts/recipes/014_swid_generator.mk b/testing/scripts/recipes/014_swid_generator.mk
new file mode 100644
index 000000000..589146906
--- /dev/null
+++ b/testing/scripts/recipes/014_swid_generator.mk
@@ -0,0 +1,16 @@
+#!/usr/bin/make
+
+PKG = swidGenerator
+ZIP = $(PKG)-master.zip
+SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
+
+all: install
+
+$(ZIP):
+ wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(ZIP)
+
+$(PKG)-master: $(ZIP)
+ unzip $(ZIP)
+
+install: $(PKG)-master
+ cd $(PKG)-master && python setup.py install
diff --git a/testing/scripts/recipes/015_strongTNC.mk b/testing/scripts/recipes/015_strongTNC.mk
new file mode 100644
index 000000000..cc4a94a0b
--- /dev/null
+++ b/testing/scripts/recipes/015_strongTNC.mk
@@ -0,0 +1,22 @@
+#!/usr/bin/make
+
+PKG = strongTNC
+ZIP = $(PKG)-master.zip
+SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
+DEPS = $(PKG)-deps
+
+all: install
+
+$(ZIP):
+ wget --ca-directory=/usr/share/ca-certificates/mozilla/ $(SRC) -O $(ZIP)
+
+$(PKG)-master: $(ZIP)
+ unzip -u $(ZIP)
+
+$(DEPS): $(PKG)-master
+ mkdir -p $(DEPS)
+ pip install --download $(DEPS) -r $(PKG)-master/requirements.txt
+
+install: $(DEPS)
+ pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(PKG)-master/requirements.txt
+ cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+w /var/www/tnc /var/www/tnc/django.db
diff --git a/testing/testing.conf b/testing/testing.conf
index 8e0c81e53..f5e65b2d8 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,14 +24,14 @@ fi
: ${TESTDIR=/srv/strongswan-testing}
# Kernel configuration
-: ${KERNELVERSION=3.13.2}
+: ${KERNELVERSION=3.15.1}
: ${KERNEL=linux-$KERNELVERSION}
: ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-3.13}
-: ${KERNELPATCH=ha-3.13-abicompat.patch.bz2}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-3.15}
+: ${KERNELPATCH=ha-3.15-ah-abicompat.patch.bz2}
# strongSwan version used in tests
-: ${SWANVERSION=5.1.2}
+: ${SWANVERSION=5.2.0}
# Build directory where the guest kernel and images will be built
: ${BUILDDIR=$TESTDIR/build}
@@ -50,11 +50,11 @@ fi
# Base image settings
# The base image is a pristine OS installation created using debootstrap.
-: ${BASEIMGSIZE=1280}
+: ${BASEIMGSIZE=1400}
: ${BASEIMGSUITE=wheezy}
: ${BASEIMGARCH=amd64}
: ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
-: ${BASEIMGMIRROR=http://cdn.debian.net/debian}
+: ${BASEIMGMIRROR=http://http.debian.net/debian}
# Root image settings
# The root image is the origin of all guest images. It is a clone of the base
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem
new file mode 100644
index 000000000..fbfa7ee8b
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
+Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
+hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
+dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
+lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
+QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
+jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
+bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
+ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
+gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
+R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
+6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
+91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem
new file mode 100644
index 000000000..406c15700
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC+DCCAeACAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe
+pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG
+MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW
+MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIIWCKrRUelL+kw
+IhgPMjAxNDAyMDcwODU4MTJaGA8yMDIyMDQyNjA4NTgxMlowIjAgBggrBgEFBQcK
+BDEUMBIwEAwFc2FsZXMMB2ZpbmFuY2UwfzByBgNVHSMEazBpCwHqxzoCXPi2xMHh
+2q7CV/ZSsLChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJv
+bmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCCBVOfhWvHBdhMAkG
+A1UdOAQCBQAwDQYJKoZIhvcNAQEFBQADggEBADNSv52dbBOp30L0kJse9HqWMBaR
+SA5IDrF1FMLVZfI0Vb9XgEmk1SXAnMmPm7bfk+2w0Rd1jL7D905nel3LXuvohSR9
+wd4Vo8XX3WUlzNfjUEFFJb0nU2ybr7SmxF+K4wGnhvBAym2y/hNA0glp2hNjYTds
+g+RUpM4bSqP5DpUfRBl19VHeEu/OymoACOzuHuNc1IndYM1mkSJYumX6YW60DpF/
+TaK1So3FyEWucHeoFCziNbclrjWwB8OS3JfCOl95rxu+0JhyWc+3x1E50W8DaAnY
+ZRyYxDjYT9/E9xyzV45yo0xFODIgDgfKMsDjfUmfny3dTesdFUf3Ar3vTfA=
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem
new file mode 100644
index 000000000..2f646c39d
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC9DCCAdwCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf
+pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR
+BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg
+RjBEpEIwQDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+FjAUBgNVBAMTDXN0cm9uZ1N3YW4gQUEwDQYJKoZIhvcNAQEFBQACCCPxWgWKmOUM
+MCIYDzIwMTQwMjA3MDg1OTM3WhgPMjAyMjA0MjYwODU5MzdaMB0wGwYIKwYBBQUH
+CgQxDzANMAsMCW1hcmtldGluZzB/MHIGA1UdIwRrMGkLAerHOgJc+LbEweHarsJX
+9lKwsKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIIFU5+Fa8cF2EwCQYDVR04
+BAIFADANBgkqhkiG9w0BAQUFAAOCAQEAThlKhGVv34sfnCSQn6nYUdxMhboTuC98
++DgvTQ/tH0hddCJNg00SpO8AbStwEsqHFaSqFzAGHcMk+XUrBRSGszAwg8nKAKfT
+MCvJbK6lWQcPF0WPSSk9/r1TLan4I9xhneNIIGQf1fnNo7NrQnmhJjolUgXQNwFA
+qZgKBsk0jWcOSvI0bpK90km5flCHn/OA1rDCdaPuMwreDhvNDoApORYFPZVsLhid
+CXSqT+FWfm2NfegS+Q4VHP3YLbY4vLepCerU9aMTUIPit0kf1N8piG/l6AUno1XP
+VrcTvruQUWQb08H9aYt7l7kyhzOKkuXjVbdn5egZnK0m4WKmV50guA==
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem
new file mode 100644
index 000000000..d42038469
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC8DCCAdgCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf
+pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR
+BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg
+RjBEpEIwQDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+FjAUBgNVBAMTDXN0cm9uZ1N3YW4gQUEwDQYJKoZIhvcNAQEFBQACCEuGbFvrRrtr
+MCIYDzIwMTQwMjA3MDgwMTE3WhgPMjAxNDAyMDcwOTAxMTdaMBkwFwYIKwYBBQUH
+CgQxCzAJMAcMBXNhbGVzMH8wcgYDVR0jBGswaQsB6sc6Alz4tsTB4dquwlf2UrCw
+oUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEb
+MBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBgggVTn4VrxwXYTAJBgNVHTgEAgUA
+MA0GCSqGSIb3DQEBBQUAA4IBAQBYnOq716FJ079kXAt8vmi2GpEyyCqSBqqjr0lR
+X9mGQqWKmpj88ZP61tCooCy8HaJsgKBvedKJHJ4e/YxR+fqBDkT4apFu4wX8P/xh
+yKy6/RMAdTtkwVTE6flXdQryCQ/PGhSMuwwH/URFg65mixAatyyaoat4+mZ506u3
+F9ZZXkHPP4nZXAJqYjLLcNXPqC4lGoXXT+9dgsm6RLAdnBXT1GGff9tmqt9CcspW
+XPjoqy9AxNr6FnItvMGw0CC6MPyVOJImlSxdhFW7waZkpNfmGzRdylXMwHXk8PbW
+gjmlDUbyWquu8xBlpron3X/Jx3YNGVNrhgfZLlmhzCRouMqc
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem
new file mode 100644
index 000000000..a4e001791
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
+FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
+Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
+zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
+jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
+eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
+d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
+DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
+01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
+mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
+vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
+lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
+mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
+xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
+3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
+vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
+zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
+Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
+3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
+oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
+XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
+GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
+2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
+RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem
new file mode 100644
index 000000000..3be000a3d
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC8TCCAdkCAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe
+pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG
+MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW
+MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIISLuuiWM2O9Yw
+IhgPMjAxNDAyMDcwODQyMDVaGA8yMDE0MDIwNzA5NDIwNVowGzAZBggrBgEFBQcK
+BDENMAswCQwHZmluYW5jZTB/MHIGA1UdIwRrMGkLAerHOgJc+LbEweHarsJX9lKw
+sKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIIFU5+Fa8cF2EwCQYDVR04BAIF
+ADANBgkqhkiG9w0BAQUFAAOCAQEAaDwqM5BY9pXhlSlT3cpCJYsNCfk6T1nG5s5J
+Dtgwojw0BVSoxKqcbpWdP09HOpBcwbPVk++I19wd5VsdHxtQ4/o2Hoevg4QWxUUx
+t3qsdMDjg7U2iH+JppYsEDmXmx9k1hvV1OiEzHJKTDlZqXkhiItLatKSptTG3c0A
+DdJVS05sdepzhkRGimE/QwO7nJ3v5ixFNIetgfbojbjhJPpNfXPIgMMHerK/hAlo
+ekSwcmh9ufFuEXg8C0NunQqf6Z6FbxiUXUF9j7dvlEp3n5YFsv3WSMUjE3Sb7r8T
+3e2A/LXb05ky0/SNebgS4fU9oi8acEgwN2Vqwu82hClwYAcHJg==
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem
new file mode 100644
index 000000000..a188a1d3d
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC7zCCAdcCAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe
+pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG
+MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW
+MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIIYO/yp98Yxu4w
+IhgPMjAxNDAyMDcxMDAxNTdaGA8yMDIyMDQyNjEwMDE1N1owGTAXBggrBgEFBQcK
+BDELMAkwBwwFc2FsZXMwfzByBgNVHSMEazBpCwHqxzoCXPi2xMHh2q7CV/ZSsLCh
+SaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRsw
+GQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCCBVOfhWvHBdhMAkGA1UdOAQCBQAw
+DQYJKoZIhvcNAQEFBQADggEBAJA/duSysWae5X9JTC0BLY6gK8ggj5V9H3d60rM4
+7A8HVQldWe5QwYIRZmLS0XhMVHWiIvXJHwue2Xgs8DyAqILSCKIKpCJRhqPIxHCh
+bek1nzw2YzVaU+E37He5V9PSkkRFO9tRvELhW3t4Wya7p4l6MVFW9ETOOtUqZYmt
+bxAq/XEFZl/aFb2FW2RoKjUZpwxbrccCaV1hKIxtNen2ro31dNd9YHXe+fE4Fc7r
+FTwbhOg3QLvZDXmiZt3LCXdMKAhayLbuSVsycuEtac44OVSvKhJ8GYykTRRn67nU
+qCFNDe266KTNDqUMilrHm3FYGkpFtREOBajH4EqdMAJSdXg=
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem
new file mode 100644
index 000000000..fbfa7ee8b
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
+Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
+hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
+dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
+lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
+QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
+jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
+bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
+ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
+gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
+R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
+6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
+91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem
new file mode 100644
index 000000000..a4e001791
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
+FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
+Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
+zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
+jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
+eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
+d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
+DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
+01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
+mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
+vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
+lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
+mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
+xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
+3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
+vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
+zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
+Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
+3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
+oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
+XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
+GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
+2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
+RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem
new file mode 100644
index 000000000..a188a1d3d
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC7zCCAdcCAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe
+pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG
+MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW
+MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIIYO/yp98Yxu4w
+IhgPMjAxNDAyMDcxMDAxNTdaGA8yMDIyMDQyNjEwMDE1N1owGTAXBggrBgEFBQcK
+BDELMAkwBwwFc2FsZXMwfzByBgNVHSMEazBpCwHqxzoCXPi2xMHh2q7CV/ZSsLCh
+SaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRsw
+GQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCCBVOfhWvHBdhMAkGA1UdOAQCBQAw
+DQYJKoZIhvcNAQEFBQADggEBAJA/duSysWae5X9JTC0BLY6gK8ggj5V9H3d60rM4
+7A8HVQldWe5QwYIRZmLS0XhMVHWiIvXJHwue2Xgs8DyAqILSCKIKpCJRhqPIxHCh
+bek1nzw2YzVaU+E37He5V9PSkkRFO9tRvELhW3t4Wya7p4l6MVFW9ETOOtUqZYmt
+bxAq/XEFZl/aFb2FW2RoKjUZpwxbrccCaV1hKIxtNen2ro31dNd9YHXe+fE4Fc7r
+FTwbhOg3QLvZDXmiZt3LCXdMKAhayLbuSVsycuEtac44OVSvKhJ8GYykTRRn67nU
+qCFNDe266KTNDqUMilrHm3FYGkpFtREOBajH4EqdMAJSdXg=
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem
new file mode 100644
index 000000000..e612607aa
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC7TCCAdUCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf
+pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR
+BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg
+QzBBpD8wPTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+EzARBgNVBAMTCmV4cGlyZWQgQUEwDQYJKoZIhvcNAQEFBQACCG25qKzXgZ9HMCIY
+DzIwMTQwMjA3MTAxMzQyWhgPMjAyMjA0MjYxMDEzNDJaMBkwFwYIKwYBBQUHCgQx
+CzAJMAcMBXNhbGVzMH8wcgYDVR0jBGswabOoTOBJ6lXcG4NAowI32Y/oXa9/oUmk
+RzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBgggqIkNljRd9CTAJBgNVHTgEAgUAMA0G
+CSqGSIb3DQEBBQUAA4IBAQCfX/84tHCidlVbOU4is/1hZc+FpK4GG1jcywM9mtjB
+QUeX28LYkewDdRpe49zJuTbvuIIABTp+4alf/oo7sKLk+o2/qq6CPfx8BSRL1a61
+Y1wVeGmXqcRQgtX+r3asMtLBoAFO8VaHt6pY52bg2YMNVRrUnCUVLqQjT+/Ujr4f
+Lhs74VOxn7S94YbqvP5rytNFjdzBREipmb8j4mhIyfwUluoWFCkzxuwRaSEGhSMO
+NobJuj/mK0PUU+TMYEcOMpQ/nVyb9rBtOvDoNU3BeD+ovuamErT9/9vWhEOwMD4C
+OeR+ofespDX+AdCyZ1Dr1GMyUmIRK7GERdasIhx5pYMk
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem
new file mode 100644
index 000000000..2f646c39d
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem
@@ -0,0 +1,18 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIC9DCCAdwCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf
+pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR
+BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg
+RjBEpEIwQDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+FjAUBgNVBAMTDXN0cm9uZ1N3YW4gQUEwDQYJKoZIhvcNAQEFBQACCCPxWgWKmOUM
+MCIYDzIwMTQwMjA3MDg1OTM3WhgPMjAyMjA0MjYwODU5MzdaMB0wGwYIKwYBBQUH
+CgQxDzANMAsMCW1hcmtldGluZzB/MHIGA1UdIwRrMGkLAerHOgJc+LbEweHarsJX
+9lKwsKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIIFU5+Fa8cF2EwCQYDVR04
+BAIFADANBgkqhkiG9w0BAQUFAAOCAQEAThlKhGVv34sfnCSQn6nYUdxMhboTuC98
++DgvTQ/tH0hddCJNg00SpO8AbStwEsqHFaSqFzAGHcMk+XUrBRSGszAwg8nKAKfT
+MCvJbK6lWQcPF0WPSSk9/r1TLan4I9xhneNIIGQf1fnNo7NrQnmhJjolUgXQNwFA
+qZgKBsk0jWcOSvI0bpK90km5flCHn/OA1rDCdaPuMwreDhvNDoApORYFPZVsLhid
+CXSqT+FWfm2NfegS+Q4VHP3YLbY4vLepCerU9aMTUIPit0kf1N8piG/l6AUno1XP
+VrcTvruQUWQb08H9aYt7l7kyhzOKkuXjVbdn5egZnK0m4WKmV50guA==
+-----END ATTRIBUTE CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem
new file mode 100644
index 000000000..20336fd79
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIIKiJDZY0XfQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDYwOTQ4NTJaFw0xNDAyMDcwOTQ4NTJaMD0x
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRMwEQYDVQQD
+EwpleHBpcmVkIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0s5R
+X2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhbETSHS+r/qipV4mI+/orS
+zma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yxb0Ti6vDDbZOM8y3r7ak0
+Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZmjqrjoQlcrThIXju2bqN3
+SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr61rulNxEp+3Dsce5mv7JR
+dX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc8Ofdu0kJNoPHGjrnSywl
+kPh3z2pw6nOFpyFHoQIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2bbO1
+5eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAh9Sxryf5ip00ykCMStDYzQk27l4N
+ncjU19RJqjrCuHupvWPJ+aYQFvssAnGGuK2rbw3rzVQba/Vn/o5d5wr1gxRtNQjv
+z60jbqllmjF0TWvPf/CM/5LVAQJs2x5Mqtvy3pbNvetFHjZrzVDobdVJpqzaZGnh
+oP0+HUMdE+fyLa0LfaRKYNv7r/vxvzsHZvgJawHK1b/2VWtrkIMyhAgHYViih06j
+2bfVI/f5tk7/UljzLOCB22IFIn05wh4jyKq6az7B2Xu1Kk0/eA12eRqG134P8OYe
+hAPcuj4QEDwV0ESw5cueD2I0MxbXuH2vBG5ziSBfw2Phj7f9iYurmMsZew==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem
new file mode 100644
index 000000000..fbfa7ee8b
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD
+Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH
+hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP
+dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L
+lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/
+QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N
+jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2
+bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM
+ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik
+gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02
+R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA
+6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g
+91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem
new file mode 100644
index 000000000..0e694c4f1
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0s5RX2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhb
+ETSHS+r/qipV4mI+/orSzma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yx
+b0Ti6vDDbZOM8y3r7ak0Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZm
+jqrjoQlcrThIXju2bqN3SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr6
+1rulNxEp+3Dsce5mv7JRdX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc
+8Ofdu0kJNoPHGjrnSywlkPh3z2pw6nOFpyFHoQIDAQABAoIBAQCRRwiDM2VhBGTc
+THi3oiLIaldz0fGnUVNhXR33XkwPm45cwbPY5pd7NWeecPChRE3fg/KFtfhv2wKX
+hHdd+6zofcYKsGeIKJa6gzXpJ5LtkRGWLNt3MEUl3mkAIhiYGoSmU96Axr5ul0lM
+JNiJkG/+GgzgN/jHR1UxfOzPQs7PKIyzCE2N0v8dRxHWeyPCRxSavlhAoQKjWxCe
+FfVBzLi+L1faidcwf4GWyeTfhvALXQnQGgVPH6PX0z3mwaeYHPWVXWJGcaF0bi3H
+HaEb2YexTDkEVU0PUVYO40OgtmKVLmi5t+ZP+/dFasy9elzgM3sSmVc7IBp6BBCH
+NgUcWcf1AoGBAOiti9raozwdA/wHAMaCCbgXq8Dg0+3LYnb0ob7w8OaHRl4Mvpup
+7MtxPGmr9IOddf8/49+L9STsioMllGt0TrkMrlKyg/eglGMalvbJmUYw1kERtQZw
+0CYYE8DXR3fvN+eMl1maZ4Wf048UugWQhsRGzOyUKcMXhAlIXwTevnCfAoGBAOfv
+isxrw5vttRxfszZaWeomos9bk6NA9FJYG1rS6ocR+Ww2OpQSJVTmbjpYv1lTb9yr
+PvcZtPbWP/6g8kjPTQQ+ZnJQB4RpWek0KlxwxC6JW5HzqMJFn68zX4/jE5kXqVow
+Y+Sfgrkr4QXX8vjzp9GFRhAW6bA5DlswqH7XmB+/AoGARHYDx3I7Q026RWZ+GOpc
+F7mHRKoiUT5di2ixSrA0AXBeCQAw+TZHQRjhUKpSuIMVG/RdhQH2MFYU7z+YawF+
+xD3x8M0rvSmXX42MS7LHkXp/IAgovmtlI0BEV6JAGg7d4Rhh0/B1c0Cyi8/qaAa9
+UHUQiK+Tlh6OL/kGVDWBzTsCgYBTW5Jk+e4pontPIU4FoN9j+lLVd7JOIFAvMB9U
+uy0zMlCUhcDz6rmkE9VV/wN2lThE9P8CTCjv9fy2BR5O8MJbXhnvx7eL7Vk1KVx4
+MMcxeoiAojPq7p7/ltUnn5MxmIFzOqUMTA/tgUm0kfJvaxLLiLyvl6yRe1AfkhNc
+0xuHfQKBgQCyQEcvtmR1Qx82ob5uTvBbKFDbSniiJMi9kgMk266PNRdg85Q4RC7X
+j5KNALOb5u2oMT6/Hzi4KruDBc/6viXRuMYM+L1JIy8y6wcVjCQetxyUIGgc9Ouh
+59bOkD+SOth52Y+AYFyCaJOSoTFHlTcLwCvk9gVdbgVYJi7/jyohSQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem
new file mode 100644
index 000000000..a4e001791
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF
+FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA
+Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY
+zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT
+jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf
++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+
+eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz
+d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn
+DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB
+01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot
+mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK
+vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM
+lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH
+mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i
+xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf
+3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo
+vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/
+zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S
+Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ
+3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV
+oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+
+XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N
+GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV
+2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3
+RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/description.txt b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt
new file mode 100644
index 000000000..7d9ebfd90
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>type=pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat
new file mode 100644
index 000000000..4d36673dc
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
index 90a5d61b1..4c6e51df7 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
@@ -8,7 +8,16 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- mobike=no
+
+conn nat-t
+ left=%any
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ leftsourceip=%config
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=0.0.0.0/0
+ auto=add
conn local-net
leftsubnet=10.1.0.0/16
@@ -16,25 +25,3 @@ conn local-net
authby=never
type=pass
auto=route
-
-conn venus-icmp
- leftsubnet=10.1.0.20/32
- rightsubnet=0.0.0.0/0
- leftprotoport=icmp
- rightprotoport=icmp
- leftauth=any
- rightauth=any
- type=drop
- auto=route
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=0.0.0.0/0
- auto=add
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index 8e685c862..dabff38e4 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+ keep_alive = 5
}
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
index cd8ea23c3..90a8ae26e 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
@@ -6,17 +6,15 @@ conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
- keyingtries=1
+ keyingtries=1
keyexchange=ikev2
- mobike=no
-conn net-net
+conn nat-t
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
- leftsubnet=0.0.0.0/0
leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
+ leftsubnet=0.0.0.0/0
+ right=%any
+ rightsourceip=10.3.0.0/28
auto=add
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
index a5cd14b30..ca23c6971 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
- install_routes = no
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
index 46ca4cdc3..ade641503 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
@@ -8,7 +8,16 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- mobike=no
+
+conn nat-t
+ left=%any
+ leftcert=venusCert.pem
+ leftid=@venus.strongswan.org
+ leftsourceip=%config
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=0.0.0.0/0
+ auto=add
conn local-net
leftsubnet=10.1.0.0/16
@@ -16,25 +25,3 @@ conn local-net
authby=never
type=pass
auto=route
-
-conn venus-icmp
- leftsubnet=PH_IP_VENUS/32
- rightsubnet=0.0.0.0/0
- leftprotoport=icmp
- rightprotoport=icmp
- leftauth=any
- rightauth=any
- type=drop
- auto=route
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=0.0.0.0/0
- auto=add
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat
new file mode 100644
index 000000000..1ff2c0644
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat
@@ -0,0 +1,5 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat
new file mode 100644
index 000000000..b96aa0ce7
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat
@@ -0,0 +1,11 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+sun::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t \ No newline at end of file
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/test.conf b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf
new file mode 100644
index 000000000..bd82f03ad
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/shunt-policies/description.txt b/testing/tests/ikev2/shunt-policies/description.txt
deleted file mode 100644
index dd78a5ef1..000000000
--- a/testing/tests/ikev2/shunt-policies/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
-by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
-prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
-tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
-In order for the shunt to work, automatic route insertion must be disabled
-by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
-<p/>
-In order to demonstrate the use of <b>type=drop</b> shunt policies, the
-<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
-to use the IPsec tunnel by dropping such packets. Since this policy does not
-apply to the localnet, <b>venus</b> and <b>moon</b> can still ping each other.
diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat
deleted file mode 100644
index a6e40a817..000000000
--- a/testing/tests/ikev2/shunt-policies/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-venus::ssh PH_IP_BOB hostname::bob::YES
-bob:: ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
deleted file mode 100644
index af0f25209..000000000
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow icmp in local net
--A INPUT -i eth1 -p icmp -j ACCEPT
--A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat
deleted file mode 100644
index 837738fc6..000000000
--- a/testing/tests/ikev2/shunt-policies/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat
deleted file mode 100644
index c724e5df8..000000000
--- a/testing/tests/ikev2/shunt-policies/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1
-moon::ipsec up net-net
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
index 4ebebba5a..a4d9812d9 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEMDCCAxigAwIBAgIBKTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE
+b290IENBMB4XDTE0MDQxNDIwNDY1NVoXDTE5MDQxMzIwNDY1NVowaDELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c
-6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH
-8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1
-XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n
-hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9
-0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/
-rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE
-FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzXQSXX8LtY/RlgvQxxCF
+pq787RPVD1HQciKemGkzUcjC+J+3rHBKmPT68Prb/4j9ESYdPqvaI7KWGD7pkAv4
+BWv4rw5iAxKB7bEDSVg5Gjs9vXDifR27Pz8rfsQFo8+O9oYWb7Ah45TNU/B8+Pcr
+Gajv0I7eHUbGJsKlgOOMBkSe3cbQd9jc54iv8AFFfMsh5riMz2+7LI8zaMzie3vN
+aPjsSDcGTB7jDa9bY+ZMbHzdFaDzmodDrZNJOSKTeDp5QTuP/JTPrSCXiIqUEJbE
+IUhWF2P1s8wH9SeW0ZQlw4Z0eETR/c7XQfzdJj7UCmWLJQ//eseoAXNc1DbV6EtJ
+1QIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE
+FGkt9dMYc1d/MRpfoo1q6zzwdBDMMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl
4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n
U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB
FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j
-cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD
-ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM
-Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma
-/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS
-KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu
-9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx
-fmSZH0LzbAm+7XFrP71rBSJUaUI=
+cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBAEbfq0PDdexYL9OqqD1Q8U0UXIRi3hvruqGM+KW8UbKisRqJJnow5wCYBJLI
+MFC7ze24AcADe0Az+uLdKzClVZ+87i/vMse0dCGxSvKKwUtI9bFeQOourrBEHHRw
+xJJcY9eGlsJoyJXyuT8sEXI+YqAaVDtcAYDa+OjIQNrJeIZDv9t/+1q1wlh0gvIz
+zfndSfL4xEIf+lw1Flvt8BwTx4jDk6QIS4jUO3YtHzrtZ+171/iqmSvGrEmfVceq
+1KOn7zNgh7XHmqE92HU63R9sVu3zjVSzuAMIVDqT5v8qU6T85NJE8ebYXi/RL8ON
+btGZ7+y4Z4CbdkjLZ+Oxtew0nwk=
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
index aec8e7a33..c1f4b179f 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk
-g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS
-wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34
-mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f
-U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m
-yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ
-u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y
-EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP
-/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y
-UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0
-TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx
-u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv
-Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ
-lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC
-jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs
-tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq
-1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq
-WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr
-ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl
-Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC
-AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn
-aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN
-9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo
-/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F
-PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ==
+MIIEpAIBAAKCAQEAzXQSXX8LtY/RlgvQxxCFpq787RPVD1HQciKemGkzUcjC+J+3
+rHBKmPT68Prb/4j9ESYdPqvaI7KWGD7pkAv4BWv4rw5iAxKB7bEDSVg5Gjs9vXDi
+fR27Pz8rfsQFo8+O9oYWb7Ah45TNU/B8+PcrGajv0I7eHUbGJsKlgOOMBkSe3cbQ
+d9jc54iv8AFFfMsh5riMz2+7LI8zaMzie3vNaPjsSDcGTB7jDa9bY+ZMbHzdFaDz
+modDrZNJOSKTeDp5QTuP/JTPrSCXiIqUEJbEIUhWF2P1s8wH9SeW0ZQlw4Z0eETR
+/c7XQfzdJj7UCmWLJQ//eseoAXNc1DbV6EtJ1QIDAQABAoIBAQCiSRgkoDDolpSv
+199vDl7z3e9NeUfnlPF45l2t+BMge9t+NfMIk55pGcGKTi0uuM9lF10sXuStI+ip
+eDBXpwyfg7zo0gybbqgQz6zP548baEYJeLx+pdh9SfGabU4jKdU8Z4gbat4p/ST/
+M8wTgHGcEDR14hQSvg/RGBlRKOw3Gdq5+lWWHePfL0Lx7xmvXDcrOxtgN3aaQaHB
+b6bcb6V6vxcXeQR5eLV1k5mHFauu0wunFOimJrzozBfaUmlsOCGI1t9+3F0HPH9U
+SL4CHDQkzb8owE+3PNDAFKlads7/3dkp5bS2YeWNwYUvCLcima2isyH7eQa033Aw
+LK+XvgBhAoGBAP55aQGGmuXbdRvOa7YwobQHaUppV/ZLPSQlrmbeTCVv4SN0OmvT
+DQh+VjlQ0+XhJudhIGRTdVns7xi5BWy1H2dPvOOG0VX5xVLyEVcyOfAmII8zP3Mo
+ZzzShehwfi7Pu4hlGwt/oaFuIID9nNROJ8wxF0KsHaTnJvJIAP9GEu0dAoGBAM6v
+a4OGeNkWrGfSJ1PQXkV3r49Uib4n8ToWbAmbKn5lf+Hq25+3p94ontm7cj7NSq6q
+iOYPrnG/r9of+ikCU+065RpI/Xf91Yf3uy5YXY8GUTumknXCI8nXE4Nt42HrW1pB
+hoFh/Z4dSs6jX8G3LuJiPdvQ3Bi5SsOiEaFruwoZAoGADMFfLxFlMEJY02T8Zyx2
+3oREldND8neBAA/XdxaLcJD0EwffacoxbAyRG9xeUrZ/cbefnQfF6RUEQxP7HqDR
+iycnC6yVT57uciLqFZnR56SxmxvxgT80NYtD5QvGd2g4OTUALwpduq6/eFe+BbJJ
+MmX/iXsBHWPswtYzHpiPmE0CgYAy+gkmc3Ay+uii4q5YebgGojJmw48Fm4xfq1AS
+PncInbgg3HA2wHFi1dn4EcdnvfKBigYh2BRKceDJh8GHg893X2NKTF5Xzf9wfaVp
+FNpegExgzgCpkqyJB8cET4IZkJcDd83Y83Y+HTNqK9leSfQCWgCvyp++aVULU1nN
+2mhTYQKBgQD7MvZ4zXOHCqWQpYyKAMxAo+0xoZcT6LCNYRfkehwYQRRtVSH74S0Z
+npadWcLXCuIJULgPD/JxCqHBylEoRjFC6BYmqTJJva7mLkf9es09kS7MPmNxGs60
+S0Wg4PBCXe74uN7+IgziCoSBGiUxTg36B687+PesvhhCnsTLFYbYZA==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID Date User ID
+pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID Date User ID
+pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
new file mode 100644
index 000000000..6524773e0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID Date User ID
+sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
+JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
+FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
+7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
+0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
+8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
+QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
+biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
+=YFQm
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID Date User ID
+pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID Date User ID
+pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
new file mode 100644
index 000000000..de2393649
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID Date User ID
+sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
+Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
+GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
+vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
+LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
+2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
+xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
+IDxzdW4uc3Ryb25nc3dhbi5vcmc+
+=DwEu
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/pfkey/compress/description.txt b/testing/tests/pfkey/compress/description.txt
new file mode 100644
index 000000000..4c60384f0
--- /dev/null
+++ b/testing/tests/pfkey/compress/description.txt
@@ -0,0 +1,4 @@
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> check
+the established tunnel with compression. The packet sizes of the two pings
+are different because the kernel does not compress small packets.
diff --git a/testing/tests/pfkey/compress/evaltest.dat b/testing/tests/pfkey/compress/evaltest.dat
new file mode 100644
index 000000000..843326ecc
--- /dev/null
+++ b/testing/tests/pfkey/compress/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..78809898b
--- /dev/null
+++ b/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ compress=yes
+ leftfirewall=yes
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
index 902d83c69..2061e52e9 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
- multiple_authentication = no
}
diff --git a/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..718b3c814
--- /dev/null
+++ b/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ compress=yes
+ leftfirewall=yes
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ rightid=carol@strongswan.org
+ auto=add
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
index 4582e1473..2061e52e9 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
@@ -2,6 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
- multiple_authentication = no
- install_routes = no
}
diff --git a/testing/tests/pfkey/compress/posttest.dat b/testing/tests/pfkey/compress/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/pfkey/compress/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/compress/pretest.dat b/testing/tests/pfkey/compress/pretest.dat
new file mode 100644
index 000000000..29a90355f
--- /dev/null
+++ b/testing/tests/pfkey/compress/pretest.dat
@@ -0,0 +1,6 @@
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/pfkey/compress/test.conf b/testing/tests/pfkey/compress/test.conf
new file mode 100644
index 000000000..d7b71426c
--- /dev/null
+++ b/testing/tests/pfkey/compress/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/description.txt b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt
new file mode 100644
index 000000000..7d9ebfd90
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>type=pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat
new file mode 100644
index 000000000..4d36673dc
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..4c6e51df7
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn nat-t
+ left=%any
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ leftsourceip=%config
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=0.0.0.0/0
+ auto=add
+
+conn local-net
+ leftsubnet=10.1.0.0/16
+ rightsubnet=10.1.0.0/16
+ authby=never
+ type=pass
+ auto=route
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..7e96bf1c4
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
index cd8ea23c3..90a8ae26e 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
@@ -6,17 +6,15 @@ conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
- keyingtries=1
+ keyingtries=1
keyexchange=ikev2
- mobike=no
-conn net-net
+conn nat-t
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
- leftsubnet=0.0.0.0/0
leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
+ leftsubnet=0.0.0.0/0
+ right=%any
+ rightsourceip=10.3.0.0/28
auto=add
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..c0f605d26
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..ade641503
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn nat-t
+ left=%any
+ leftcert=venusCert.pem
+ leftid=@venus.strongswan.org
+ leftsourceip=%config
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=0.0.0.0/0
+ auto=add
+
+conn local-net
+ leftsubnet=10.1.0.0/16
+ rightsubnet=10.1.0.0/16
+ authby=never
+ type=pass
+ auto=route
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..7e96bf1c4
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat
new file mode 100644
index 000000000..1ff2c0644
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat
@@ -0,0 +1,5 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat
new file mode 100644
index 000000000..b96aa0ce7
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat
@@ -0,0 +1,11 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+sun::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t \ No newline at end of file
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/test.conf b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf
new file mode 100644
index 000000000..bd82f03ad
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/shunt-policies/description.txt b/testing/tests/pfkey/shunt-policies/description.txt
deleted file mode 100644
index ad98eb8d5..000000000
--- a/testing/tests/pfkey/shunt-policies/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
-by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
-prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
-tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
-In order for the shunt to work, automatic route insertion must be disabled
-by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
-<p/>
-In order to demonstrate the use of <b>type=drop</b> shunt policies, the
-<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
-to use the IPsec tunnel by dropping such packets. Since this policy does not
-apply to the local net, <b>venus</b> and <b>moon</b> can still ping each other.
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
deleted file mode 100644
index 6ba3a988f..000000000
--- a/testing/tests/pfkey/shunt-policies/evaltest.dat
+++ /dev/null
@@ -1,20 +0,0 @@
-moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
-moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-venus::ssh PH_IP_BOB hostname::bob::YES
-bob::ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
deleted file mode 100644
index af0f25209..000000000
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow icmp in local net
--A INPUT -i eth1 -p icmp -j ACCEPT
--A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
deleted file mode 100644
index 837738fc6..000000000
--- a/testing/tests/pfkey/shunt-policies/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
deleted file mode 100644
index c724e5df8..000000000
--- a/testing/tests/pfkey/shunt-policies/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1
-moon::ipsec up net-net
diff --git a/testing/tests/sql/shunt-policies-nat-rw/description.txt b/testing/tests/sql/shunt-policies-nat-rw/description.txt
new file mode 100644
index 000000000..7d9ebfd90
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>type=pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
new file mode 100644
index 000000000..4d36673dc
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
index a7fa09213..50eccad21 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
@@ -1,5 +1,3 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
-config setup
-
# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..b1f5c7d10
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql
@@ -0,0 +1,199 @@
+/* Identities */
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* alice@strongswan.org */
+ 3, X'616c696365407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* sun.strongswan.org */
+ 2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org' */
+ 11, X'05da04208c02f428470acf6c772d066613da863c'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* %any */
+ 0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org */
+ 1, 1, X'3082041f30820307a003020102020119300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303732345a170d3134303832363130303732345a3057310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311d301b06035504031414616c696365407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d88d6a4811e6972dd0daa2adf3c911bf5edd8664607bea67f45427a11af59184f0ab90c46007b8b5aa69fff71ab2ff2d822cd5f4c9ec94cd32ef8f49e73c91ff48e40c48b4fcdbfae4b023d857431865349f15f998ecf50dc65ffe7dc12dc37071788bc6fcf08fdfeda2c6c073a84724ff5193d73c622b1d2f545a1ff9d3ffd0fc62eb7a2be85bae427e3ee8362df0313630641e4cc8f639abd311718c843dad0634cd06cf361f204910cfc9ee48bfea590ae62e6952e8ab70e4bdc75ec51a2a29c6b74c48ee32c65a1e32b27ae330dc4acd1b762c84ea48fb684d3476241e9ae7feb9e38981d85184ae949dfcb8064e6c333a096864ba6c420b0deb18e952fb0203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041405da04208c02f428470acf6c772d066613da863c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d11041830168114616c696365407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b0500038201010056bf83e11c656988b179337467a902d2a111632aa9f737d59ef35456c15469073c285046878b37a569572df45260eadec593f0fc174c1a8391052a5720290f1f77fd2a2c4dfddeec066f80efaa5db0e3d34514352c939142fa93140c062c587c85bb6e96298e647da33034c3491cae9ee26ebe5a6a32e6e9646adc032510ea9321b5d5827fa749f41c01b50c12682fdd3bf54fb14314fef5ad9fed368e07f51b40d3af3a0a9a75d939b940d38ea9d8fdb96d6c002eb88d5934cacf082354a2b71d8724896f5b6517f2574d307a37ad17a984589e4e53d727ed354d00036ea082c92fe0c303c206021acc99b825fdbd6f97b00ad1409e5fb1264388eed1f054f6'
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 2
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 3
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 4
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 6
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+ type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org' */
+ 1, X'308204a40201000282010100d88d6a4811e6972dd0daa2adf3c911bf5edd8664607bea67f45427a11af59184f0ab90c46007b8b5aa69fff71ab2ff2d822cd5f4c9ec94cd32ef8f49e73c91ff48e40c48b4fcdbfae4b023d857431865349f15f998ecf50dc65ffe7dc12dc37071788bc6fcf08fdfeda2c6c073a84724ff5193d73c622b1d2f545a1ff9d3ffd0fc62eb7a2be85bae427e3ee8362df0313630641e4cc8f639abd311718c843dad0634cd06cf361f204910cfc9ee48bfea590ae62e6952e8ab70e4bdc75ec51a2a29c6b74c48ee32c65a1e32b27ae330dc4acd1b762c84ea48fb684d3476241e9ae7feb9e38981d85184ae949dfcb8064e6c333a096864ba6c420b0deb18e952fb0203010001028201005877fd918fee9a9897189b1961dd2528ff8294e2f11feeb5a575b3f2f766979aae10094690ccd6c330e9b92ea473b818497433bc9bb9d158bb946eff8c3e8c8eb4a2a5fa1626af6022896b3b78faea3e7e6ef7b54eaa8fba9eee9cb3977630c0013b742f492aa63c9f82be9be5243c5c7b0a42d1cdd37535a91e56eb754f0cd4fdc52d015f22635c84b70fcaca2c8bfc8eda277cd9d6983ee6445224b283ad195fd3143e23b018d765eb4a299b2eac66c95996abbe059bf60058682f8bf371d38660fc2e30a7803e8b316d37ccd68e4b58d5bad1ac29d17d411c7afbf984fa85c5f38f16607dc7b997ffc787e6fd93f9747db30a05f76c561f1439eed701e0d102818100ebd741cb81a87794d6d45c93ec36e028777b055b4e54b8ec6d0c5cf1434137f9877a650632cd6f95e996d193dd754dbfaea7778e566e3f8cefffa0fd399d289a2f1ab9e8ced96c006eeb7a2415fe765bc5f7ea30c94de10ab6b27056b1648327f89cd76c8ba799552b544d50be904568d5e50b8edc3bc0a6425315d270a1cd9f02818100eb10151752f48aa212b02bb4ab588ce0bb47553f78e28f35e41f1195110e3f144e5c968943ca61550813e4f5d19076439f9e5998aaa4017d8ac230508f429f52f989e83f13e8e64e7b4f3fa12c2206b069490b07dc003b9a60d7c93de046c99ad239e370d1a379c1bd5576c98999c17ad19d2eebd29d561f764730e1ab6d85250281810085a14c689128f1c8e6092203b6de4918e4ca51f8b06394fc71b5859c36ad6797fdc9be204afcd8732b0e07e62e9f5ed47393f44c3470f795560f941aa760833709e5acdd5b071b090bd0653eb92f9bc4d86166d309dd14dc4b34c42e7b0926bfa940c5577db213518ce1918564d4be5f6e82ff8f8cfe56645e4451a311aabca502818100ba03b20d11127f9a9e1b579ad37571966ddd97327161285f4734e6df05ee3630c58a337e506d18f5073d6714b8500fa697ebe18f148a50bb9e50e996f6a78c19476bc0a41a075629891f3f8535bd7f799ef7b488f5aa21809b5e67dc555cef315b677ffac98b0a512c9933356d74854dc20f17107b4d12d836eb435d72216b190281804440408c4ca3597067faedf8e603a3cca4c1a5c1b5469b25d860ae08f8844d5055b2ae935a966aff2d78fb9b5118731e012bb06ba435209e6f2adfb040c183a2a0b24558b2b9f225b507e42f83a8e5c27afe65a621671f780ff48bf46b9041342dc6515ec7859a95eed1f3135db7bc6e5490faa44de6155917378f8eac8f8459'
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 4
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 6
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ 'PH_IP_ALICE', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ '%any', '%any'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+ 'nat-t', 1, 4, 5, '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, auth_method
+) VALUES (
+ 'shunts', 2, 7, 7, 0
+);
+
+INSERT INTO child_configs (
+ name
+) VALUES (
+ 'nat-t'
+);
+
+INSERT INTO child_configs (
+ name, mode, start_action
+) VALUES (
+ 'local-net', 4, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 2, 2
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+ 7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 0.0.0.0/0 */
+ 7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO traffic_selectors (
+ type
+) VALUES ( /* dynamic/32 */
+ 7
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 3, 2
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 1
+);
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets
index 76bb21bea..76bb21bea 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index 930b72578..2f01cdcce 100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -3,8 +3,10 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/ipsec.d/ipsec.db
}
}
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+
+ keep_alive = 5
}
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
index a7fa09213..50eccad21 100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
@@ -1,5 +1,3 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
-config setup
-
# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
index 3a0fe67bf..4e9975912 100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
@@ -20,12 +20,6 @@ INSERT INTO identities (
INSERT INTO identities (
type, data
-) VALUES ( /* moon.strongswan.org */
- 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
- type, data
) VALUES ( /* sun.strongswan.org */
2, X'73756e2e7374726f6e677377616e2e6f7267'
);
@@ -36,6 +30,12 @@ INSERT INTO identities (
11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
);
+INSERT INTO identities (
+ type, data
+) VALUES ( /* %any */
+ 0, '%any'
+);
+
/* Certificates */
INSERT INTO certificates (
@@ -71,13 +71,13 @@ INSERT INTO certificate_identity (
INSERT INTO certificate_identity (
certificate, identity
) VALUES (
- 2, 5
+ 2, 4
);
INSERT INTO certificate_identity (
certificate, identity
) VALUES (
- 2, 6
+ 2, 5
);
/* Private Keys */
@@ -91,13 +91,13 @@ INSERT INTO private_keys (
INSERT INTO private_key_identity (
private_key, identity
) VALUES (
- 1, 5
+ 1, 4
);
INSERT INTO private_key_identity (
private_key, identity
) VALUES (
- 1, 6
+ 1, 5
);
/* Configurations */
@@ -105,19 +105,19 @@ INSERT INTO private_key_identity (
INSERT INTO ike_configs (
local, remote
) VALUES (
- 'PH_IP_SUN', 'PH_IP_MOON'
+ 'PH_IP_SUN', '0.0.0.0'
);
INSERT INTO peer_configs (
- name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+ name, ike_cfg, local_id, remote_id, pool
) VALUES (
- 'net-net', 1, 5, 4, 0, 0
+ 'nat-t', 1, 4, 6, 'vips'
);
INSERT INTO child_configs (
name, updown
) VALUES (
- 'net-net', 'ipsec _updown iptables'
+ 'nat-t', 'ipsec _updown iptables'
);
INSERT INTO peer_config_child_config (
@@ -128,25 +128,68 @@ INSERT INTO peer_config_child_config (
INSERT INTO traffic_selectors (
type, start_addr, end_addr
-) VALUES (
- 7, X'0a010000', X'0a01ffff'
+) VALUES ( /* 0.0.0.0/0 */
+ 7, X'00000000', X'ffffffff'
);
INSERT INTO traffic_selectors (
- type, start_addr, end_addr
-) VALUES (
- 7, X'00000000', X'ffffffff'
+ type
+) VALUES ( /* dynamic/32 */
+ 7
);
INSERT INTO child_config_traffic_selector (
child_cfg, traffic_selector, kind
) VALUES (
- 1, 2, 0
+ 1, 1, 0
);
INSERT INTO child_config_traffic_selector (
child_cfg, traffic_selector, kind
) VALUES (
- 1, 1, 1
+ 1, 2, 3
+);
+
+/* Pools */
+
+INSERT INTO pools (
+ name, start, end, timeout
+) VALUES (
+ 'vips', X'0a030001', X'0a030006', 0
);
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030001'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030002'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030003'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030004'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030005'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030006'
+);
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets
index 76bb21bea..76bb21bea 100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..16e934968
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ plugins {
+ sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ attr-sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+}
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..50eccad21
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..e00d00e34
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql
@@ -0,0 +1,199 @@
+/* Identities */
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* venus.strongswan.org */
+ 2, X'76656e75732e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* sun.strongswan.org */
+ 2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=venus.strongswan.org' */
+ 11, X'8f5c0a6cb147fc1b51708046e0636c7a54012d67'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* %any */
+ 0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=venus.strongswan.org */
+ 1, 1, X'3082040f308202f7a003020102020118300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303532325a170d3134303832363130303532325a3047310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311d301b0603550403131476656e75732e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b3452cb2d9328eebcd929c7fbe66652a90484c9c8699f4df163974d6e538754570cc4df28659463cb3778a32d2b5e1cfde8a546c335de5d1b8795b1af43522a8826593f83eb67292e487506c0eb251fd67207af7f6d56e90eb57ebab0c787054f8ce3a283eebe1146b1920584f516cc88bf8ec3dae936e27059ed27f6f8ba154197cc21577274819f1f1990271ca6cd2f349a1e7b10ddb2ef4a07f473309ff6db19bf16af2b0dd3d5956cd6d3daf75e617dce2578b4c6c993fd89debf5543f41da66c0fd709fe1ce39c452f51f1290ffe45396663acfa9b8ac116e1460ac70b3db6b9836f74997aaba4c4a9b9651a80845998e69ea32777c76e6a6d8c0d7b9430203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604148f5c0a6cb147fc1b51708046e0636c7a54012d67306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d1104183016821476656e75732e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100ae4f8bf839636df8b4471315613455d83870ac487d945ec0538e648d73fd159fce8a8f67a6330f5e41d6da0a66b006b2aca1749e3243f070c49a5d80d0ac70c7a593332e6dc2d72fd42e80f4b8873e0c2e4251dad0c2640fe61544c46c043074d482c52a3f974bd9e4a5d483dcb9cd98425a96621c90579f3ff9ebbc272b5e89df1f5362d761e2c4fecbed2f1e0be8b14b36b2b45390ad960c3c6587d5d3721ec3672acbba245116b5a373acbd4e1547fea40d5f0101ab6b7d5188d0515cb1efb81542688bacf53b5232f8201a19981355fd5275d3eae61a3d5e1b59c3a60abaa014eb6c4b2ff08c7bcbf33389307c3ce8f774a8e5d9466645507031b9cda989'
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 2
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 3
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 4
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 6
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+ type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=venus.strongswan.org' */
+ 1, X'308204a20201000282010100b3452cb2d9328eebcd929c7fbe66652a90484c9c8699f4df163974d6e538754570cc4df28659463cb3778a32d2b5e1cfde8a546c335de5d1b8795b1af43522a8826593f83eb67292e487506c0eb251fd67207af7f6d56e90eb57ebab0c787054f8ce3a283eebe1146b1920584f516cc88bf8ec3dae936e27059ed27f6f8ba154197cc21577274819f1f1990271ca6cd2f349a1e7b10ddb2ef4a07f473309ff6db19bf16af2b0dd3d5956cd6d3daf75e617dce2578b4c6c993fd89debf5543f41da66c0fd709fe1ce39c452f51f1290ffe45396663acfa9b8ac116e1460ac70b3db6b9836f74997aaba4c4a9b9651a80845998e69ea32777c76e6a6d8c0d7b9430203010001028201002f45f48d8d1cf9f7509472d474df079a7bc5b4fe29b87b8c408e123380eaac720d56b2cf5b823b355296194961ab38cada025c54d40ed4c5c301ad76a42346ea6cc86086bbf2dcafc3b7b30b6bacb6563e55a057b72d7d24960aef4881d758b7ef8c6265ae82012ea3375302369860395a3fdffc3c0700ab259e461ff8c83758469107b2178f13fb996880c7d71810ef6bfc2ace9f9f3dec4d82ba74965f67610c512d82b1d6ea617f97ec248b90cec556cf8ed31173d34005ef1c9f203f513fe9d21a43e7cbad3f3b9564a8eddd0b5a570acdda017953501b0fd1a1d61c51d72087c903de5f432d15ee0a83c571d13d122794574445891e6cce1272d9dfc58102818100eaf147f15cdcf46f7d2c86465f611f3837f027ad93cc33ce82ab9b50ca5046ac9d4f103d19a3c62b2a05ec61182b72bcb238bfb87d6a7288144b8eaf5cd72f9b9c5eec1e4e3e07d32c5ead7cc695781bc0e8f7c63a2af1ab3beb1434e9f837489ce38ef4ac2f5542cabd6b487a14884f5d848ca5cfc6730287fbd33769e0836102818100c3568067b881ace3d24c57f74beacc804312bf7b39efc61383a86568d7c3bd3102f734040e0ee4e0cc5f7d1c8128baa274b525659adc4eccdd3b6e5ce7ac3bc6317070bc25159b9aa2e9459fe38defbfdeb9db420231a39e6c5442eaeece6a21f18c8bcc1074a041b39b8bb8e812b7fce0c8cd0c6964bd0c5144d79622dfa323028180392b0af17d423aac624e12424f75278e9b75f181b824093b27eaaff961b154f12dba0e5e7fbdad3bd596e964dae7bf9c90d56439753310b9720ecca27939d758cb1d01e181f2701eff7dee431d63437da55c4ae64e4322d922d459ef623b46e0816491e5917c5707d0a374d686f63610f1d58e0fced620282e84a569a776bd2102818062d907297588c980900eea04ce7a06fa70f6afc71fce6221c5e2154f34c06ca0bcab73bb099227e84a039840306bf7e5f5c12527817232be20c5ce575d351f1a7032421a3379f7c00ce896bf0e5be912e3169209992a9d6db1cc0200f8cfa38d81ba6993de4fe638d936c141d4ce8424876b95b7ce2d982cff8322c56ae8589902818050666db5164e14c675a5a10ab49cef6dfedb60d92a5b588863901500df38838004277f75d161f15e1efeb855b2054e1f532d10824f478a14916df9eada5bf034d59478c426b7cb755a91065034fa147e0ba030f77ef1db9b1634cb94016c3bda9647887ba112756d6e84bcf10b309165290036d31f89508abd038e063c5b7dea'
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 4
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 6
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ 'PH_IP_VENUS', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ '%any', '%any'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+ 'nat-t', 1, 4, 5, '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, auth_method
+) VALUES (
+ 'shunts', 2, 7, 7, 0
+);
+
+INSERT INTO child_configs (
+ name
+) VALUES (
+ 'nat-t'
+);
+
+INSERT INTO child_configs (
+ name, mode, start_action
+) VALUES (
+ 'local-net', 4, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 2, 2
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+ 7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 0.0.0.0/0 */
+ 7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO traffic_selectors (
+ type
+) VALUES ( /* dynamic/32 */
+ 7
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 3, 2
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 1
+);
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
index b3a7bc0de..2f01cdcce 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -3,9 +3,10 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/ipsec.d/ipsec.db
}
}
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
- install_routes = no
+
+ keep_alive = 5
}
diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
new file mode 100644
index 000000000..f410dd776
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::iptables-restore < /etc/iptables.flush
+alice::rm /etc/ipsec.d/ipsec.*
+venus::rm /etc/ipsec.d/ipsec.*
+sun::rm /etc/ipsec.d/ipsec.*
+moon::iptables -t nat -F \ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
new file mode 100644
index 000000000..0314e7ad1
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
@@ -0,0 +1,20 @@
+alice::rm /etc/ipsec.d/cacerts/*
+venus::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+alice::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+venus::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+sun::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t \ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf
new file mode 100644
index 000000000..bd82f03ad
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/sql/shunt-policies/description.txt b/testing/tests/sql/shunt-policies/description.txt
deleted file mode 100644
index 269e7957c..000000000
--- a/testing/tests/sql/shunt-policies/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
-by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
-prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
-tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
-In order for the shunt to work, automatic route insertion must be disabled
-by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
-<p/>
-In order to demonstrate the use of <b>type=drop</b> shunt policies, the
-<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
-to use the IPsec tunnel by dropping such packets. Thanks to the <b>local-net</b>
-pass shunt, <b>venus</b> and <b>moon</b> can still ping each other, though.
diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat
deleted file mode 100644
index 51dd9610b..000000000
--- a/testing/tests/sql/shunt-policies/evaltest.dat
+++ /dev/null
@@ -1,20 +0,0 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
-moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-venus::ssh PH_IP_BOB hostname::bob::YES
-bob::ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql
deleted file mode 100644
index 4ece72ca1..000000000
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql
+++ /dev/null
@@ -1,227 +0,0 @@
-/* Identities */
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
- 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
- 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
- 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* moon.strongswan.org */
- 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* sun.strongswan.org */
- 2, X'73756e2e7374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
- 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
- );
-
-INSERT INTO identities (
- type, data
-) VALUES ( /* %any */
- 0, '%any'
-);
-
-/* Certificates */
-
-INSERT INTO certificates (
- type, keytype, data
-) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
- 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
-);
-
-INSERT INTO certificates (
- type, keytype, data
-) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
- 1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
-);
-
-INSERT INTO certificate_identity (
- certificate, identity
-) VALUES (
- 1, 1
-);
-
-INSERT INTO certificate_identity (
- certificate, identity
-) VALUES (
- 1, 2
-);
-
-INSERT INTO certificate_identity (
- certificate, identity
-) VALUES (
- 1, 3
-);
-
-INSERT INTO certificate_identity (
- certificate, identity
-) VALUES (
- 2, 4
-);
-
-INSERT INTO certificate_identity (
- certificate, identity
-) VALUES (
- 2, 6
-);
-
-/* Private Keys */
-
-INSERT INTO private_keys (
- type, data
-) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
- 1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
-);
-
-INSERT INTO private_key_identity (
- private_key, identity
-) VALUES (
- 1, 4
-);
-
-INSERT INTO private_key_identity (
- private_key, identity
-) VALUES (
- 1, 6
-);
-
-/* Configurations */
-
-INSERT INTO ike_configs (
- local, remote
-) VALUES (
- 'PH_IP_MOON', 'PH_IP_SUN'
-);
-
-INSERT INTO ike_configs (
- local, remote
-) VALUES (
- '%any', '%any'
-);
-
-INSERT INTO peer_configs (
- name, ike_cfg, local_id, remote_id, mobike, dpd_delay
-) VALUES (
- 'net-net', 1, 4, 5, 0, 0
-);
-
-INSERT INTO peer_configs (
- name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay
-) VALUES (
- 'shunts', 2, 7, 7, 0, 0, 0
-);
-INSERT INTO child_configs (
- name, updown, hostaccess
-) VALUES (
- 'net-net', 'ipsec _updown iptables', 1
-);
-
-INSERT INTO child_configs (
- name, mode, start_action
-) VALUES (
- 'local-net', 4, 1
-);
-
-INSERT INTO child_configs (
- name, mode, start_action
-) VALUES (
- 'venus-icmp', 5, 1
-);
-
-INSERT INTO peer_config_child_config (
- peer_cfg, child_cfg
-) VALUES (
- 1, 1
-);
-
-INSERT INTO peer_config_child_config (
- peer_cfg, child_cfg
-) VALUES (
- 2, 2
-);
-
-INSERT INTO peer_config_child_config (
- peer_cfg, child_cfg
-) VALUES (
- 2, 3
-);
-INSERT INTO traffic_selectors (
- type, start_addr, end_addr
-) VALUES (
- 7, X'0a010000', X'0a01ffff'
-);
-
-INSERT INTO traffic_selectors (
- type, start_addr, end_addr
-) VALUES (
- 7, X'00000000', X'ffffffff'
-);
-
-INSERT INTO traffic_selectors (
- type, start_addr, end_addr, protocol
-) VALUES (
- 7, X'0a010014', X'0a010014', 1
-);
-
-INSERT INTO traffic_selectors (
- type, start_addr, end_addr, protocol
-) VALUES (
- 7, X'00000000', X'ffffffff', 1
-);
-
-INSERT INTO child_config_traffic_selector (
- child_cfg, traffic_selector, kind
-) VALUES (
- 1, 1, 0
-);
-
-INSERT INTO child_config_traffic_selector (
- child_cfg, traffic_selector, kind
-) VALUES (
- 1, 2, 1
-);
-
-INSERT INTO child_config_traffic_selector (
- child_cfg, traffic_selector, kind
-) VALUES (
- 2, 1, 0
-);
-
-INSERT INTO child_config_traffic_selector (
- child_cfg, traffic_selector, kind
-) VALUES (
- 2, 1, 1
-);
-
-INSERT INTO child_config_traffic_selector (
- child_cfg, traffic_selector, kind
-) VALUES (
- 3, 3, 0
-);
-
-INSERT INTO child_config_traffic_selector (
- child_cfg, traffic_selector, kind
-) VALUES (
- 3, 4, 1
-);
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
deleted file mode 100644
index af0f25209..000000000
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow icmp in local net
--A INPUT -i eth1 -p icmp -j ACCEPT
--A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat
deleted file mode 100644
index 329a572b2..000000000
--- a/testing/tests/sql/shunt-policies/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
deleted file mode 100644
index b62da613c..000000000
--- a/testing/tests/sql/shunt-policies/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1
-moon::ipsec up net-net
diff --git a/testing/tests/swanctl/ip-pool-db/description.txt b/testing/tests/swanctl/ip-pool-db/description.txt
new file mode 100755
index 000000000..9774e573b
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
+addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
+<p>
+The updown script automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
+<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
+virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat
new file mode 100755
index 000000000..f76c35689
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat
@@ -0,0 +1,23 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_req=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..8f87a52e9
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
+}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb341486
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..8f87a52e9
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
+}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..24d2f8645
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..2f632288d
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown sqlite attr-sql vici
+
+ plugins {
+ attr-sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+}
+
+pool {
+ load = sqlite
+}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d05dea005
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+ pools = big_pool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/swanctl/ip-pool-db/posttest.dat
new file mode 100755
index 000000000..2644b3941
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/posttest.dat
@@ -0,0 +1,11 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ipsec pool --del big_pool 2> /dev/null
+moon::ipsec pool --del dns 2> /dev/null
+moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat
new file mode 100755
index 000000000..0607f6715
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/pretest.dat
@@ -0,0 +1,21 @@
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::sleep 1
+moon::swanctl --load-conns 2> /dev/null
+carol::swanctl --load-conns 2> /dev/null
+dave::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+carol::swanctl --load-creds 2> /dev/null
+dave::swanctl --load-creds 2> /dev/null
+carol::swanctl --initiate --child home 2> /dev/null
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/swanctl/ip-pool-db/test.conf
new file mode 100755
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/swanctl/ip-pool/description.txt b/testing/tests/swanctl/ip-pool/description.txt
new file mode 100755
index 000000000..23cab8e8f
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p>
+<b>The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
new file mode 100755
index 000000000..a16ed01a6
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -0,0 +1,15 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_req=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb341486
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..24d2f8645
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..aa31d0f26
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+ pools = rw_pool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+pools {
+ rw_pool {
+ addrs = 10.3.0.0/28
+ }
+}
diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/swanctl/ip-pool/posttest.dat
new file mode 100755
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat
new file mode 100755
index 000000000..d1afdf0be
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+carol::swanctl --load-conns 2> /dev/null
+dave::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+carol::swanctl --load-creds 2> /dev/null
+dave::swanctl --load-creds 2> /dev/null
+moon::swanctl --load-pools 2> /dev/null
+carol::swanctl --initiate --child home 2> /dev/null
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool/test.conf b/testing/tests/swanctl/ip-pool/test.conf
new file mode 100755
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/swanctl/ip-pool/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/swanctl/net2net-cert/description.txt b/testing/tests/swanctl/net2net-cert/description.txt
new file mode 100755
index 000000000..345769a5f
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/swanctl/net2net-cert/evaltest.dat
new file mode 100755
index 000000000..cdbecd553
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2f0fd9da1
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ mobike = no
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e4c855621
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ mobike = no
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/swanctl/net2net-cert/posttest.dat
new file mode 100755
index 000000000..30d10b555
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat
new file mode 100755
index 000000000..2c4ba6ca2
--- /dev/null
+++ b/testing/tests/swanctl/net2net-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+sun::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+sun::swanctl --load-creds 2> /dev/null
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/swanctl/net2net-cert/test.conf
index 646b8b3e6..646b8b3e6 100644..100755
--- a/testing/tests/sql/shunt-policies/test.conf
+++ b/testing/tests/swanctl/net2net-cert/test.conf
diff --git a/testing/tests/swanctl/net2net-route/description.txt b/testing/tests/swanctl/net2net-route/description.txt
new file mode 100755
index 000000000..20640ef85
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/description.txt
@@ -0,0 +1,9 @@
+A tunnel that will connect the subnets behind the gateways <b>moon</b>
+and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
+on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
+A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
+<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
+leads to the automatic establishment of the subnet-to-subnet tunnel.
+<p>
+The updown script automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat
new file mode 100755
index 000000000..04df90bea
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/evaltest.dat
@@ -0,0 +1,7 @@
+moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1dfcfd179
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ start_action = trap
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ mobike = no
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e4c855621
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ mobike = no
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat
new file mode 100755
index 000000000..30d10b555
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat
new file mode 100755
index 000000000..61e33fa24
--- /dev/null
+++ b/testing/tests/swanctl/net2net-route/pretest.dat
@@ -0,0 +1,9 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::service charon start 2> /dev/null
+moon::service charon start 2> /dev/null
+sun::swanctl --load-creds 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+sun::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+alice::ping -c 3 10.2.0.10
diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/swanctl/net2net-route/test.conf
index 6b7432ca6..646b8b3e6 100644..100755
--- a/testing/tests/ikev2/shunt-policies/test.conf
+++ b/testing/tests/swanctl/net2net-route/test.conf
@@ -9,7 +9,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-w-s-b.png"
+DIAGRAM="a-m-w-s-b.png"
# Guest instances on which tcpdump is to be started
#
diff --git a/testing/tests/swanctl/net2net-start/description.txt b/testing/tests/swanctl/net2net-start/description.txt
new file mode 100755
index 000000000..9c67ed605
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/description.txt
@@ -0,0 +1,6 @@
+A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
+respectively, is automatically established by means of the setting
+<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
+behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
+gateway <b>sun</b>. The updown script automatically inserts iptables-based
+firewall rules that let pass the tunneled traffic.
diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat
new file mode 100755
index 000000000..cdbecd553
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..6770f6ab7
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ start_action = start
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ mobike = no
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e4c855621
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ mobike = no
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat
new file mode 100755
index 000000000..30d10b555
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat
new file mode 100755
index 000000000..0560092c5
--- /dev/null
+++ b/testing/tests/swanctl/net2net-start/pretest.dat
@@ -0,0 +1,9 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::service charon start 2> /dev/null
+moon::service charon start 2> /dev/null
+sun::swanctl --load-creds 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+sun::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+moon::sleep 1
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/swanctl/net2net-start/test.conf
index 6b7432ca6..646b8b3e6 100644..100755
--- a/testing/tests/pfkey/shunt-policies/test.conf
+++ b/testing/tests/swanctl/net2net-start/test.conf
@@ -9,7 +9,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-w-s-b.png"
+DIAGRAM="a-m-w-s-b.png"
# Guest instances on which tcpdump is to be started
#
diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt
new file mode 100755
index 000000000..6af7a39ae
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/swanctl/rw-cert/evaltest.dat
new file mode 100755
index 000000000..bb5e08bf4
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0ba243300
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..a3420a479
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..75f18475c
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..861d65ab6
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/swanctl/rw-cert/posttest.dat
new file mode 100755
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat
new file mode 100755
index 000000000..3fdf01d81
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+carol::swanctl --load-conns 2> /dev/null
+dave::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+carol::swanctl --load-creds 2> /dev/null
+dave::swanctl --load-creds 2> /dev/null
+carol::swanctl --initiate --child home 2> /dev/null
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-cert/test.conf b/testing/tests/swanctl/rw-cert/test.conf
new file mode 100755
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/swanctl/rw-psk-fqdn/description.txt b/testing/tests/swanctl/rw-psk-fqdn/description.txt
new file mode 100755
index 000000000..47f6968ae
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
new file mode 100755
index 000000000..bb5e08bf4
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..772f18a3b
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c113620b3
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,41 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ secret = 0x16964066a10de938bdb2ab7864fe4459cab1
+ }
+}
+
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..772f18a3b
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..928fd04c0
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..772f18a3b
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..8cae3e820
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,41 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = carol@strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+ ike-dave {
+ id = dave@strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat
new file mode 100755
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat
new file mode 100755
index 000000000..2018f5d95
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat
@@ -0,0 +1,17 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+carol::swanctl --load-conns 2> /dev/null
+dave::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+carol::swanctl --load-creds 2> /dev/null
+dave::swanctl --load-creds 2> /dev/null
+carol::swanctl --initiate --child home 2> /dev/null
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-fqdn/test.conf b/testing/tests/swanctl/rw-psk-fqdn/test.conf
new file mode 100755
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-fqdn/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/swanctl/rw-psk-ipv4/description.txt b/testing/tests/swanctl/rw-psk-ipv4/description.txt
new file mode 100755
index 000000000..b4aaa6a6a
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
new file mode 100755
index 000000000..142e88e61
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.100 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.200 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..772f18a3b
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bd00fc32c
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = 192.168.0.100
+ }
+ remote {
+ auth = psk
+ id = 192.168.0.1
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = 192.168.0.1
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+}
+
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..772f18a3b
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b30790b46
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = 192.168.0.200
+ }
+ remote {
+ auth = psk
+ id = 192.168.0.1
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = 192.168.0.1
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..772f18a3b
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..098b3c0ab
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 10m
+ esp_proposals = aes128gcm128-modp2048
+ }
+ }
+
+ version = 2
+ reauth_time = 60m
+ rekey_time = 20m
+ proposals = aes128-sha256-modp2048
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = 192.168.0.100
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+ ike-dave {
+ id = 192.168.0.200
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat
new file mode 100755
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat
new file mode 100755
index 000000000..2018f5d95
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat
@@ -0,0 +1,17 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::swanctl --load-conns 2> /dev/null
+carol::swanctl --load-conns 2> /dev/null
+dave::swanctl --load-conns 2> /dev/null
+moon::swanctl --load-creds 2> /dev/null
+carol::swanctl --load-creds 2> /dev/null
+dave::swanctl --load-creds 2> /dev/null
+carol::swanctl --initiate --child home 2> /dev/null
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-ipv4/test.conf b/testing/tests/swanctl/rw-psk-ipv4/test.conf
new file mode 100755
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ipv4/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
index 73646f8db..2f104f53a 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,12 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
index 73646f8db..2f104f53a 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,12 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
index 3975f09a9..51425ac98 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
@@ -2,12 +2,18 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
+ phase2_tnc_method = tnc
+ }
+ eap-tnc {
+ protocol = tnccs-1.1
}
}
}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
index 4cc205cf7..4c770388d 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
index ac469590c..df385d55b 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
index 2bb7e7924..8b36df5e3 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
@@ -3,7 +3,7 @@
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
- 'aabbccddeeff11223344556677889900', 28, 1372330615
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
);
/* Groups Members */
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
index 56c6b9f57..4eeff496c 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
index 145ad9d2d..7c27dbd71 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
index 4cc205cf7..4c770388d 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
index 5dbee558f..5424f4ca2 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
index 4cc205cf7..4c770388d 100644
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
index 5dbee558f..5424f4ca2 100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
@@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+
+ plugins {
+ eap-tnc {
+ protocol = tnccs-1.1
+ }
+ }
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
index 2fe4cf001..3037d0082 100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@@ -2,12 +2,18 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
+ phase2_tnc_method = tnc
+ }
+ eap-tnc {
+ protocol = tnccs-1.1
}
}
}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
index ced332cc4..20c0928b9 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = de, en
}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
index 70a1b07e6..64a25b405 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
multiple_authentication=no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = ru, fr, en
}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
index 59dce1874..7ee2ead8c 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imv {
recommendation_policy = all
}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
index f202bbfa8..c0e5e9476 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
index 996169add..4c31a78f6 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = ru , de, en
}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
index 3e6bc65a6..46c736700 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
index 18e715785..d71893aad 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
@@ -2,10 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
index 18e715785..d71893aad 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
@@ -2,10 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
index 602979cf6..768138888 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
@@ -2,15 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/description.txt b/testing/tests/tnc/tnccs-20-os-pts/description.txt
new file mode 100644
index 000000000..0ade4ba30
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/description.txt
@@ -0,0 +1,22 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
+exchange PA-TNC attributes with the OS and Attestation IMVs via the <b>IF-M 1.0</b> measurement
+protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
new file mode 100644
index 000000000..f9bb03357
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d17473db1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f64fe6a0c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+}
+
+libimcv {
+ plugins {
+ imc-os {
+ push_info = yes
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d459bfc6c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..075919aec
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnc-imc {
+ preferred_language = de
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-os {
+ push_info = no
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..bc8b2d8f9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql
new file mode 100644
index 000000000..8b36df5e3
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 10, 1
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+ 3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e81908f31
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,31 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
+
+libimcv {
+ database = sqlite:///etc/pts/config.db
+ policy_script = ipsec imv_policy_manager
+ plugins {
+ imv-attestation {
+ hash_algorithm = sha1
+ }
+ }
+}
+
+attest {
+ load = random nonce openssl sqlite
+ database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..6507baaa1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
new file mode 100644
index 000000000..49ea0416e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
index 941113434..c4a2c90c4 100644
--- a/testing/tests/tnc/tnccs-20-os/description.txt
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -1,12 +1,13 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
-client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
-is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
-exchange PA-TNC attributes.
-<p>
+<p/>
+In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS tunnel
+to determine the state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>IF-TNCCS 2.0</b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
+exchange PA-TNC attributes with the OS IMV via the <b>IF-M 1.0</b> measurement protocol
+defined by <b>RFC 5792 PA-TNC</b>.
+<p/>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
<em>Operational Status</em>, <em>Forwarding Enabled</em>, <em>Factory Default Password Enabled</em>
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
index 21a7278d7..b9f094ffd 100644
--- a/testing/tests/tnc/tnccs-20-os/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
index 34941e52c..4f5993e07 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
index 49f778f5b..4ed358dee 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = de
}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql
index 6682a5a1c..6e7e10feb 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql
@@ -3,7 +3,7 @@
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
- 'aabbccddeeff11223344556677889900', 28, 1372330615
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
);
/* Groups Members */
@@ -27,7 +27,7 @@ INSERT INTO identities (
INSERT INTO sessions (
time, connection, identity, device, product, rec
) VALUES (
- NOW, 1, 1, 1, 28, 0
+ NOW, 1, 1, 1, 42, 0
);
/* Results */
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
index 3e017e905..ed81c1778 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index 0ac88dd8d..d991ee325 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -15,6 +15,6 @@ carol::sleep 1
carol::ipsec up home
dave::ipsec up home
dave::sleep 1
-moon::ipsec attest --packages --product 'Debian 7.2 x86_64'
+moon::ipsec attest --packages --product 'Debian 7.4 x86_64'
moon::ipsec attest --sessions
moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pdp/description.txt b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt
index a178211e1..a178211e1 100644
--- a/testing/tests/tnc/tnccs-20-pdp/description.txt
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
index 505a4d079..9a477bd04 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@@ -1,21 +1,28 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES
+carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
+alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
-moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
new file mode 100644
index 000000000..626000612
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
@@ -0,0 +1,26 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+ ServerName tnc.strongswan.org
+ ServerAlias tnc
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/tnc
+
+ <Directory /var/www/tnc/config>
+ <Files wsgi.py>
+ Order deny,allow
+ Allow from all
+ </Files>
+ </Directory>
+
+ WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+
+ Alias /static/ /var/www/tnc/static/
+
+ ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf
index 6f673dcc5..f2e611952 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf
@@ -1,7 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="tnc 3, imv 3"
+ charondebug="tnc 2, imv 3"
conn aaa
leftcert=aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
index 6aeb0c0b1..6aeb0c0b1 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
index da8cdb051..da8cdb051 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets
index 11d45cd14..11d45cd14 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql
new file mode 100644
index 000000000..8adc45915
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+ type, value
+) VALUES ( /* dave@strongswan.org */
+ 5, X'64617665'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+ time, connection, identity, device, product, rec
+) VALUES (
+ NOW, 1, 1, 1, 42, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+ session, policy, rec, result
+) VALUES (
+ 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+ policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+ 3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 17, 2, 86400
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644
index 000000000..5e7b7b556
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=0
+TEMPLATE_DEBUG=0
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
index ec4956c31..a60f1dead 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
@@ -1,15 +1,17 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
+ max_message_count = 0
}
eap-tnc {
- protocol = tnccs-2.0
+ max_message_count = 0
}
tnc-pdp {
server = aaa.strongswan.org
@@ -22,9 +24,12 @@ charon {
libimcv {
debug_level = 3
+ database = sqlite:///etc/pts/config.db
+ policy_script = ipsec imv_policy_manager
+
plugins {
- imv-test {
- rounds = 1
+ imv-swid {
+ rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
}
}
}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config
index ebe88bc99..ebe88bc99 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf
index 59563730b..6e6430e4d 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="tnc 3, imc 3"
+ charondebug="tnc 2, imc 3"
conn %default
ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets
index 23d79cf2e..23d79cf2e 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
index 96ff63ab1..c040f0997 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
@@ -2,20 +2,17 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
-}
-libimcv {
plugins {
- imc-test {
- command = isolate
+ eap-ttls {
+ max_message_count = 0
+ }
+ eap-tnc {
+ max_message_count = 0
}
- imc-scannner {
- push_info = no
+ tnccs-20 {
+ max_batch_size = 32754
+ max_message_size = 32722
}
}
}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a954883a4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf
index 8c27c78d2..4846af279 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="tnc 3, imc 3"
+ charondebug="tnc 2, imc 3"
conn %default
ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets
index 02e0c9963..02e0c9963 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
index 808f1d11a..cd9efeecb 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
@@ -2,17 +2,29 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- plugins {
+
+ plugins {
+ eap-ttls {
+ max_message_count = 0
+ }
eap-tnc {
- protocol = tnccs-2.0
+ max_message_count = 0
+ }
+ tnccs-20 {
+ max_batch_size = 32754
+ max_message_size = 32722
}
}
}
libimcv {
plugins {
- imc-test {
- command = allow
+ imc-os {
+ push_info = no
+ }
+ imc-swid {
+ swid_directory = /usr/share
+ swid_pretty = no
}
}
}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a954883a4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf
index 02ada5665..02ada5665 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
index d32951866..d32951866 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
index e7eecd5f4..1e5c3f8cd 100644
--- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
@@ -2,6 +2,8 @@ moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
alice::ipsec stop
+alice::service apache2 stop
+alice::rm /etc/pts/config.db
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
new file mode 100644
index 000000000..4ba63d1c5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
@@ -0,0 +1,21 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
+alice::service apache2 start
+alice::ipsec start
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+carol::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
index c4ca1a19f..c4ca1a19f 100644
--- a/testing/tests/tnc/tnccs-20-pdp/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
index 45a77e900..45a77e900 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
new file mode 100644
index 000000000..9327f51bf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
@@ -0,0 +1,19 @@
+dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
+dave:: cat /var/log/auth.log::collected 372 SWID tags::YES
+carol::cat /var/log/auth.log::received SASL Success result::YES
+carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES
+carol::cat /var/log/auth.log::collected 1 SWID tag::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::certificate status is good::YES
+alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::1 SWID tag target::YES
+alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
new file mode 100644
index 000000000..626000612
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
@@ -0,0 +1,26 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+ ServerName tnc.strongswan.org
+ ServerAlias tnc
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/tnc
+
+ <Directory /var/www/tnc/config>
+ <Files wsgi.py>
+ Order deny,allow
+ Allow from all
+ </Files>
+ </Directory>
+
+ WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+
+ Alias /static/ /var/www/tnc/static/
+
+ ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf
index d8b84334a..7b2118f7e 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf
@@ -1,7 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- charondebug="tls 2, tnc 3, imv 3"
+ charondebug="tls 2, tnc 2, imv 3"
conn aaa
leftcert=aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
index 6aeb0c0b1..6aeb0c0b1 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
index da8cdb051..da8cdb051 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets
index 11d45cd14..11d45cd14 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
index 5b275392b..1586214d8 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
@@ -5,6 +5,10 @@
-P OUTPUT DROP
-P FORWARD DROP
+# open loopback interface
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
# allow PT-TLS
-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql
index 71592211b..14f9d7de6 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql
@@ -3,7 +3,7 @@
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
- 'aabbccddeeff11223344556677889900', 28, 1372330615
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
);
/* Groups Members */
@@ -27,7 +27,7 @@ INSERT INTO identities (
INSERT INTO sessions (
time, connection, identity, device, product, rec
) VALUES (
- NOW, 1, 1, 1, 28, 0
+ NOW, 1, 1, 1, 42, 0
);
/* Results */
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644
index 000000000..5e7b7b556
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=0
+TEMPLATE_DEBUG=0
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
index 21961d4b1..eb807b189 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
@@ -13,16 +13,17 @@ charon {
}
}
-libtnccs {
- plugins {
- tnccs-20 {
- max_batch_size = 131056
- max_message_size = 131024
- }
- }
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
+
+ plugins {
+ imv-swid {
+ rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+ }
+ }
}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..ebe88bc99
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf
index 4a41e7ed9..4a41e7ed9 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets
index d2f6378b8..d2f6378b8 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql
index 805c8bfd9..805c8bfd9 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules
index d01d0a3c9..d01d0a3c9 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
index f04e9472a..d485e9bf7 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
@@ -2,4 +2,5 @@
--client carol
--secret "Ar3etTnp"
--cert /etc/ipsec.d/cacerts/strongswanCert.pem
---debug 2
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..29fdf0235
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+ load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config
index f40174e57..f40174e57 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf
index 4a41e7ed9..4a41e7ed9 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets
index d2f6378b8..d2f6378b8 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql
index 805c8bfd9..805c8bfd9 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules
index d01d0a3c9..d01d0a3c9 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
index 46821ec73..ca3ca3aa1 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
@@ -3,4 +3,5 @@
--key /etc/ipsec.d/private/daveKey.pem
--cert /etc/ipsec.d/certs/daveCert.pem
--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--quiet
--debug 2
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
index 39b2577ae..0a7f048bf 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
@@ -5,16 +5,15 @@ libimcv {
imc-os {
push_info = no
}
+ imc-swid {
+ swid_directory = /usr/share
+ swid_pretty = yes
+ }
}
}
-libtnccs {
- plugins {
- tnccs-20 {
- max_batch_size = 131056
- max_message_size = 131024
- }
- }
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
pt-tls-client {
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config
index f40174e57..f40174e57 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
index c98df8671..b7da857a7 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
@@ -2,6 +2,7 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1
dave::ip route del 10.1.0.0/16 via 192.168.0.1
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
alice::ipsec stop
+alice::service apache2 stop
alice::rm /etc/pts/config.db
alice::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
index 97ff0c1ec..ca8f47db0 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
@@ -8,12 +8,16 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
dave::cat /etc/tnc_config
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
+alice::service apache2 start
alice::ipsec start
+alice::sleep 1
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
-carol::ip route add 10.1.0.0/16 via 192.168.0.1
-carol::cat /etc/pts/options
-carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
dave::ip route add 10.1.0.0/16 via 192.168.0.1
dave::cat /etc/pts/options
dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
-dave::sleep 1
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
+carol::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
index 0887e4d09..0887e4d09 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
deleted file mode 100644
index 32ed4d854..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-alice::ipsec start
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat
deleted file mode 100644
index 3139ca082..000000000
--- a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
-alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
-alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES
-alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
-alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES
-alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES
-alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
-alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
-alice:: cat /var/log/daemon.log::certificate status is good::YES
-alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
-alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
-alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de2fea244..000000000
--- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- plugins {
- imc-os {
- push_info = yes
- }
- imc-swid {
- #swid_directory = /usr/share
- }
- }
-}
-
-libtnccs {
- plugins {
- tnccs-20 {
- max_batch_size = 131056
- max_message_size = 131024
- }
- }
-}
-
-pt-tls-client {
- load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
-}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
index 29976509a..febf07401 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
@@ -1,12 +1,13 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
-client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
-is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
-exchange PA-TNC attributes.
-<p>
+<p/>
+In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS
+tunnel to determine the state of <b>carol</b>'s and <b>dave</b>'s operating system via the
+<b>TNCCS 2.0 </b> client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC
+and OS IMV pair is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b>
+to exchange PA-TNC attributes.
+<p/>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
@@ -14,7 +15,7 @@ to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so
measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
measure a couple of individual files and the files in the <b>/bin</b> directory as
well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
-<p>
+<p/>
Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
the mandatory default being <b>ecp256</b>, with the strongswan.conf option
<b>mandatory_dh_groups = no</b> no ECC support is required.
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
index 5eb944055..f9bb03357 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
@@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
index 72bf2c7c9..53bb9dfaa 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
index 6f71994ae..25c27be8b 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = de
}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
index 2bb7e7924..8b36df5e3 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
@@ -3,7 +3,7 @@
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
- 'aabbccddeeff11223344556677889900', 28, 1372330615
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
);
/* Groups Members */
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
index e76598b9a..07d620c0e 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt
index e78a70091..e532ab2cf 100644
--- a/testing/tests/tnc/tnccs-20-pts/description.txt
+++ b/testing/tests/tnc/tnccs-20-pts/description.txt
@@ -1,12 +1,13 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
-client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
-is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
-exchange PA-TNC attributes.
-<p>
+<p/>
+In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS tunnel
+to determine the state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0</b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
+exchange PA-TNC attributes with the OS IMV via the <b>IF-M 1.0</b> measurement protocol
+defined by <b>RFC 5792 PA-TNC</b>.
+<p/>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
index 5eb944055..2d18138e4 100644
--- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -2,19 +2,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
index e6046833c..f64fe6a0c 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
index 3236a18fa..79c79b87f 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,9 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = de
}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
index 2bb7e7924..8b36df5e3 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
@@ -3,7 +3,7 @@
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
- 'aabbccddeeff11223344556677889900', 28, 1372330615
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
);
/* Groups Members */
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
index 0298a5151..e81908f31 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
index 6507baaa1..4865036f4 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
@@ -1,4 +1,3 @@
#IMV configuration file for strongSwan client
-IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-server-retry/description.txt b/testing/tests/tnc/tnccs-20-server-retry/description.txt
index b37fbd445..f9ee7b803 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/description.txt
+++ b/testing/tests/tnc/tnccs-20-server-retry/description.txt
@@ -1,10 +1,11 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
-protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p/>
+In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS
+tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The IMCs and IMVs exchange
+messages over the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
<p>
The first time the TNC clients <b>carol</b> and <b>dave</b> send their measurements,
TNC server <b>moon</b> requests a handshake retry. In the retry <b>carol</b> succeeds
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
index 6f145ab0b..5e661c36e 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
index fce949901..6b86fe897 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = ru , de, en
}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
index 3e6bc65a6..46c736700 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-tls/description.txt b/testing/tests/tnc/tnccs-20-tls/description.txt
index a032d2d05..f193bd27b 100644
--- a/testing/tests/tnc/tnccs-20-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-tls/description.txt
@@ -1,9 +1,10 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
both ends doing certificate-based EAP-TLS authentication only.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
-protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p/>
+In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS
+tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The IMCs and IMVs exchange
+messages over the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
index ada13a325..1cf2f0e72 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
index 0870ca667..0e63eaba4 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
index bc1d421c1..1a4dc8521 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
@@ -2,25 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
request_peer_auth = yes
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
-}
-
-libimcv {
- plugins {
- imv-scanner {
- closed_port_policy = no
- tcp_ports = 80 443
- udp_ports =
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
index 6d8c10eab..292bfa53f 100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
index 1e5f50b05..75f6d73da 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = ru, pl , de
}
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
index 1a0cc202e..94e1ee926 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-dynamic/description.txt b/testing/tests/tnc/tnccs-dynamic/description.txt
index 21e9bc675..86f6323c3 100644
--- a/testing/tests/tnc/tnccs-dynamic/description.txt
+++ b/testing/tests/tnc/tnccs-dynamic/description.txt
@@ -1,6 +1,7 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
+<p/>
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
health of TNC client <b>carol</b> via the <b>TNCCS 1.1 </b> client-server interface and of
TNC client <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface. TNC server
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
index f4ea047ec..c8e5e8ad3 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -10,6 +10,11 @@ charon {
eap-tnc {
protocol = tnccs-1.1
}
+ }
+}
+
+libimcv {
+ plugins {
imc-test {
command = allow
}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index 4c738ce42..9fc9cecee 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -10,6 +10,11 @@ charon {
eap-tnc {
protocol = tnccs-2.0
}
+ }
+}
+
+libimcv {
+ plugins {
imc-test {
command = isolate
}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index 0b1cf10eb..0d547cbe0 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -11,6 +11,7 @@ charon {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
+ phase2_tnc_method = tnc
}
eap-tnc {
protocol = tnccs-dynamic