summaryrefslogtreecommitdiff
path: root/testing
diff options
context:
space:
mode:
Diffstat (limited to 'testing')
-rw-r--r--testing/config/kernel/config-4.192690
-rw-r--r--testing/config/kvm/alice.xml6
-rw-r--r--testing/config/kvm/bob.xml2
-rw-r--r--testing/config/kvm/carol.xml2
-rw-r--r--testing/config/kvm/dave.xml2
-rw-r--r--testing/config/kvm/moon.xml2
-rw-r--r--testing/config/kvm/sun.xml2
-rw-r--r--testing/config/kvm/venus.xml2
-rw-r--r--testing/config/kvm/winnetou.xml2
-rwxr-xr-xtesting/do-tests36
-rw-r--r--testing/hosts/alice/etc/freeradius/3.0/clients.conf5
-rw-r--r--testing/hosts/alice/etc/freeradius/3.0/radiusd.conf99
-rw-r--r--testing/hosts/alice/etc/freeradius/dictionary2
-rw-r--r--testing/hosts/alice/etc/freeradius/radiusd.conf2
-rw-r--r--testing/hosts/default/etc/ssh/sshd_config2
-rwxr-xr-xtesting/hosts/default/usr/local/bin/init_collector2
-rw-r--r--testing/hosts/venus/etc/default/isc-dhcp-server3
-rw-r--r--testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf1
-rw-r--r--testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text4
-rw-r--r--testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf24
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/openssl.cnf20
-rw-r--r--testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf22
-rw-r--r--testing/hosts/winnetou/etc/openssl/monster/openssl.cnf20
-rw-r--r--testing/hosts/winnetou/etc/openssl/openssl.cnf22
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/openssl.cnf20
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf24
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/openssl.cnf22
-rwxr-xr-xtesting/scripts/build-baseimage41
-rwxr-xr-xtesting/scripts/build-guestimages7
-rwxr-xr-xtesting/scripts/build-rootimage5
-rw-r--r--testing/scripts/recipes/001_libtnc.mk31
-rw-r--r--testing/scripts/recipes/002_tnc-fhh.mk35
-rw-r--r--testing/scripts/recipes/003_freeradius.mk43
-rw-r--r--testing/scripts/recipes/004_hostapd.mk39
-rw-r--r--testing/scripts/recipes/004_wpa_supplicant.mk39
-rw-r--r--testing/scripts/recipes/005_anet.mk9
-rw-r--r--testing/scripts/recipes/006_tkm-rpc.mk9
-rw-r--r--testing/scripts/recipes/007_x509-ada.mk9
-rw-r--r--testing/scripts/recipes/008_xfrm-ada.mk9
-rw-r--r--testing/scripts/recipes/009_xfrm-proxy.mk9
-rw-r--r--testing/scripts/recipes/010_tkm.mk9
-rw-r--r--testing/scripts/recipes/011_botan.mk12
-rw-r--r--testing/scripts/recipes/patches/freeradius-eap-sim-identity30
-rw-r--r--testing/scripts/recipes/patches/freeradius-tnc-fhh6687
-rw-r--r--testing/scripts/recipes/patches/hostapd-config38
-rw-r--r--testing/scripts/recipes/patches/tnc-fhh-tncsim12
-rw-r--r--testing/scripts/recipes/patches/wpa_supplicant-eap-tnc47
-rw-r--r--testing/testing.conf16
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/description.txt10
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/evaltest.dat7
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem3
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem13
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem11
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem3
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem13
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem11
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/posttest.dat7
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/pretest.dat9
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/test.conf25
-rw-r--r--testing/tests/botan/net2net-pkcs12/description.txt8
-rw-r--r--testing/tests/botan/net2net-pkcs12/evaltest.dat5
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 (renamed from testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12)bin3661 -> 3661 bytes
-rwxr-xr-xtesting/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 (renamed from testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12)bin3661 -> 3661 bytes
-rwxr-xr-xtesting/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/botan/net2net-pkcs12/posttest.dat6
-rw-r--r--testing/tests/botan/net2net-pkcs12/pretest.dat9
-rw-r--r--testing/tests/botan/net2net-pkcs12/test.conf (renamed from testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf)4
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/description.txt8
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/evaltest.dat5
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem39
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem28
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem26
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem39
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem28
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem26
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/posttest.dat5
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/pretest.dat7
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/test.conf25
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default56
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat2
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat2
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap0
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default53
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/posttest.dat2
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf9
-rw-r--r--testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf9
-rw-r--r--testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf9
-rw-r--r--testing/tests/ikev2/host2host-cert/description.txt6
-rw-r--r--testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat2
-rw-r--r--testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default14
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat6
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat6
-rw-r--r--testing/tests/ikev2/nat-rw-psk/description.txt3
-rw-r--r--testing/tests/ikev2/nat-rw/description.txt2
-rw-r--r--testing/tests/ikev2/net2net-psk/description.txt5
-rw-r--r--testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt14
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/description.txt13
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users4
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/description.txt12
-rw-r--r--testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt16
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/description.txt16
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/description.txt23
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/description.txt25
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/pretest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/description.txt13
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap16
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default55
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users0
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf18
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default64
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/pretest.dat2
-rw-r--r--testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/host2host-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/host2host-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/rw-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-psk-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-psk-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/transport-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/transport-ikev2/evaltest.dat2
-rw-r--r--testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat2
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/description.txt7
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/posttest.dat5
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/pretest.dat8
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/description.txt8
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat14
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/description.txt10
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/description.txt7
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat12
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat11
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/description.txt16
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat26
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat11
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/description.txt11
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat17
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/pretest.dat11
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/description.txt7
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/posttest.dat5
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/pretest.dat8
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt8
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt13
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/description.txt8
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat14
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/description.txt10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/description.txt2
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/evaltest.dat2
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf4
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der)bin952 -> 952 bytes
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der)bin951 -> 951 bytes
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/posttest.dat9
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/pretest.dat14
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/test.conf6
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/description.txt7
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat16
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat11
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat11
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat7
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc19
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc19
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/description.txt4
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat6
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12bin0 -> 3661 bytes
-rwxr-xr-xtesting/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets8
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12bin0 -> 3661 bytes
-rwxr-xr-xtesting/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat16
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/test.conf6
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/description.txt9
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/evaltest.dat13
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat10
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem8
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem20
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem7
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat4
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/description.txt12
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem7
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem5
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem5
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/description.txt12
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem8
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem6
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem6
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat11
-rw-r--r--testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat4
-rw-r--r--testing/tests/sql/rw-psk-ipv6/evaltest.dat4
-rwxr-xr-xtesting/tests/swanctl/config-payload/evaltest.dat8
-rw-r--r--testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf9
-rwxr-xr-xtesting/tests/swanctl/frags-ipv6/evaltest.dat4
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/description.txt6
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/evaltest.dat6
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf30
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf30
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/pretest.dat7
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/test.conf25
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/description.txt6
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/evaltest.dat6
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf31
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf31
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/pretest.dat7
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/test.conf25
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/evaltest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-pool/evaltest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/description.txt14
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/evaltest.dat35
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf27
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf27
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules43
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf20
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf48
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf27
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/posttest.dat18
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/pretest.dat30
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/ip-two-pools-db/test.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/test.conf)12
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/description.txt9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/evaltest.dat18
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf26
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules43
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf55
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/posttest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/pretest.dat11
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/ip-two-pools/test.conf (renamed from testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf)10
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat6
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat2
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat6
-rw-r--r--testing/tests/swanctl/nat-rw-psk/description.txt8
-rw-r--r--testing/tests/swanctl/nat-rw-psk/evaltest.dat14
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf34
-rw-r--r--testing/tests/swanctl/nat-rw-psk/posttest.dat7
-rw-r--r--testing/tests/swanctl/nat-rw-psk/pretest.dat16
-rw-r--r--testing/tests/swanctl/nat-rw-psk/test.conf25
-rw-r--r--testing/tests/swanctl/nat-rw/description.txt8
-rw-r--r--testing/tests/swanctl/nat-rw/evaltest.dat14
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/nat-rw/posttest.dat7
-rw-r--r--testing/tests/swanctl/nat-rw/pretest.dat13
-rw-r--r--testing/tests/swanctl/nat-rw/test.conf25
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/net2net-psk/description.txt (renamed from testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt)5
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/evaltest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf55
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf40
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/pretest.dat9
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/test.conf25
-rwxr-xr-xtesting/tests/swanctl/rw-cert-pss/evaltest.dat8
-rwxr-xr-xtesting/tests/swanctl/rw-cert/description.txt3
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt11
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf (renamed from testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf)8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/description.txt8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf)17
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf34
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/test.conf (renamed from testing/tests/openssl-ikev2/alg-aes-gcm/test.conf)10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/description.txt10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf28
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-supplicant/test.conf)8
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/description.txt7
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf)17
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf)14
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/pretest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/test.conf29
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/description.txt7
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf34
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf39
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt10
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat11
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf)13
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf40
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/description.txt (renamed from testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt)10
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf22
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf37
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/posttest.dat (renamed from testing/tests/tnc/tnccs-11-fhh/posttest.dat)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/pretest.dat (renamed from testing/tests/tnc/tnccs-20-fhh/pretest.dat)13
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/test.conf (renamed from testing/tests/openssl-ikev2/rw-suite-b-192/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt8
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf20
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf21
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf37
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat (renamed from testing/tests/tnc/tnccs-20-fhh/posttest.dat)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat (renamed from testing/tests/tnc/tnccs-11-fhh/pretest.dat)13
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/description.txt9
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users (renamed from testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf)11
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/posttest.dat (renamed from testing/tests/tnc/tnccs-11-radius-block/posttest.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/pretest.dat14
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/description.txt13
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default53
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat (renamed from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat)0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/test.conf29
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/description.txt15
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat13
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default72
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat (renamed from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat (renamed from testing/tests/tnc/tnccs-11-radius/posttest.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat16
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-radius/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/description.txt15
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat13
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default72
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat (renamed from testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/posttest.dat (renamed from testing/tests/tnc/tnccs-11-radius-pts/posttest.dat)4
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/pretest.dat16
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/test.conf (renamed from testing/tests/tnc/tnccs-20-fhh/test.conf)6
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/description.txt8
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/description.txt (renamed from testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt)3
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf20
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/pretest.dat (renamed from testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat)6
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/description.txt7
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap16
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default55
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users0
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default41
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/test.conf29
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/description.txt11
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat (renamed from testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat)6
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf)16
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf)16
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf21
-rwxr-xr-xtesting/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf37
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/posttest.dat (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat)6
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/pretest.dat13
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/test.conf (renamed from testing/tests/openssl-ikev2/alg-blowfish/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/description.txt9
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf)7
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel)0
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat7
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat14
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-fhh/test.conf)7
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/evaltest.dat18
-rwxr-xr-xtesting/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf22
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config4
-rwxr-xr-xtesting/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf22
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config4
-rwxr-xr-xtesting/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf64
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy40
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/description.txt14
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/evaltest.dat15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf27
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf30
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/pretest.dat21
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/description.txt14
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat18
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql29
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf13
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf19
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf20
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf53
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/pretest.dat28
-rw-r--r--testing/tests/tnc/tnccs-11-radius/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-11-radius/evaltest.dat18
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf25
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel32
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf30
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf30
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf53
-rw-r--r--testing/tests/tnc/tnccs-11-radius/pretest.dat22
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/description.txt12
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/evaltest.dat2
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel32
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf1127
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/posttest.dat5
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/pretest.dat11
-rw-r--r--testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql39
-rw-r--r--testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/evaltest.dat18
-rwxr-xr-xtesting/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf18
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf17
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf64
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy40
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default1
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default1
1043 files changed, 11157 insertions, 13902 deletions
diff --git a/testing/config/kernel/config-4.19 b/testing/config/kernel/config-4.19
new file mode 100644
index 000000000..79cf9e71e
--- /dev/null
+++ b/testing/config/kernel/config-4.19
@@ -0,0 +1,2690 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.19.0 Kernel Configuration
+#
+
+#
+# Compiler: gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
+#
+CONFIG_CC_IS_GCC=y
+CONFIG_GCC_VERSION=70300
+CONFIG_CLANG_VERSION=0
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+CONFIG_THREAD_INFO_IN_TASK=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_BUILD_SALT=""
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
+CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+CONFIG_TINY_SRCU=y
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+CONFIG_FHANDLE=y
+CONFIG_POSIX_TIMERS=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_FUTEX_PI=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_MEMBARRIER=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+# CONFIG_BPF_SYSCALL is not set
+# CONFIG_USERFAULTFD is not set
+CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
+CONFIG_RSEQ=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+CONFIG_SLAB_MERGE_DEFAULT=y
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_PROFILING is not set
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_FILTER_PGPROT=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+CONFIG_RETPOLINE=y
+# CONFIG_INTEL_RDT is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_NR_CPUS_RANGE_BEGIN=1
+CONFIG_NR_CPUS_RANGE_END=1
+CONFIG_NR_CPUS_DEFAULT=1
+CONFIG_NR_CPUS=1
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+# CONFIG_X86_5LEVEL is not set
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
+# CONFIG_AMD_MEM_ENCRYPT is not set
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+CONFIG_X86_INTEL_UMIP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_HAS_ADD_PAGES=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_PM_CLK=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ARCH_SUPPORTS_ACPI=y
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SPCR_TABLE=y
+CONFIG_ACPI_LPIT=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_TAD is not set
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_ACPI_CONFIGFS is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_PCI_LOCKLESS_CONFIG=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI controller drivers
+#
+
+#
+# Cadence PCIe controllers support
+#
+# CONFIG_VMD is not set
+
+#
+# DesignWare PCI Core Support
+#
+# CONFIG_PCIE_DW_PLAT_HOST is not set
+
+#
+# PCI Endpoint
+#
+# CONFIG_PCI_ENDPOINT is not set
+
+#
+# PCI switch controller drivers
+#
+# CONFIG_PCI_SW_SWITCHTEC is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Binary Emulations
+#
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_HAVE_GENERIC_GUP=y
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# Tegra firmware driver
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+
+#
+# General architecture-dependent options
+#
+CONFIG_CRASH_CORE=y
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
+CONFIG_ARCH_HAS_SET_MEMORY=y
+CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_RSEQ=y
+CONFIG_HAVE_CLK=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_STACKPROTECTOR=y
+CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+CONFIG_HAVE_RELIABLE_STACKTRACE=y
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+CONFIG_VMAP_STACK=y
+CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
+CONFIG_ARCH_HAS_REFCOUNT=y
+# CONFIG_REFCOUNT_FULL is not set
+CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+CONFIG_PLUGIN_HOSTCC=""
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_ZONED is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+# CONFIG_BLK_WBT is not set
+# CONFIG_BLK_CGROUP_IOLATENCY is not set
+# CONFIG_BLK_SED_OPAL is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_BLK_MQ_PCI=y
+CONFIG_BLK_MQ_VIRTIO=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_MQ_IOSCHED_DEADLINE=y
+CONFIG_MQ_IOSCHED_KYBER=y
+# CONFIG_IOSCHED_BFQ is not set
+CONFIG_ASN1=y
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y
+CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y
+CONFIG_FREEZER=y
+
+#
+# Executable file formats
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+
+#
+# Memory Management options
+#
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_ARCH_WANTS_THP_SWAP=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ARCH_HAS_ZONE_DEVICE=y
+# CONFIG_ZONE_DEVICE is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_PERCPU_STATS is not set
+# CONFIG_GUP_BENCHMARK is not set
+CONFIG_ARCH_HAS_PTE_SPECIAL=y
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_TLS=y
+# CONFIG_TLS_DEVICE is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+# CONFIG_XFRM_INTERFACE is not set
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+CONFIG_NET_IPGRE_DEMUX=y
+CONFIG_NET_IP_TUNNEL=y
+CONFIG_NET_IPGRE=y
+# CONFIG_SYN_COOKIES is not set
+CONFIG_NET_IPVTI=y
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_NET_FOU_IP_TUNNELS is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+# CONFIG_INET_ESP_OFFLOAD is not set
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_RAW_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+# CONFIG_INET6_ESP_OFFLOAD is not set
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+CONFIG_IPV6_VTI=y
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_IPV6_SEG6_LWTUNNEL is not set
+# CONFIG_IPV6_SEG6_HMAC is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_FAMILY_ARP=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+# CONFIG_NETFILTER_NETLINK_OSF is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+# CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NETFILTER_CONNCOUNT=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CONNTRACK_LABELS is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_IPMAC is not set
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+# CONFIG_NF_SOCKET_IPV4 is not set
+# CONFIG_NF_TPROXY_IPV4 is not set
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+# CONFIG_NF_SOCKET_IPV6 is not set
+# CONFIG_NF_TPROXY_IPV6 is not set
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+# CONFIG_IP6_NF_MATCH_SRH is not set
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_IP6_NF_NAT=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+CONFIG_NF_DEFRAG_IPV6=y
+# CONFIG_BPFILTER is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+CONFIG_DNS_RESOLVER=y
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_NET_NSH is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+CONFIG_STREAM_PARSER=y
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_PSAMPLE is not set
+# CONFIG_NET_IFE is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+CONFIG_GRO_CELLS=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_FAILOVER=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+
+#
+# Firmware loader
+#
+CONFIG_FW_LOADER=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_GNSS is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_VIRTIO_BLK_SCSI is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# NVME Support
+#
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_NVME_FC is not set
+
+#
+# Misc devices
+#
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_PCI_ENDPOINT_TEST is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module (requires I2C)
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC & related support
+#
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_MISC_RTSX_PCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_TARGET_CORE is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+CONFIG_MACSEC=y
+# CONFIG_NETCONSOLE is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALACRITECH=y
+# CONFIG_SLICOSS is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMAZON=y
+# CONFIG_ENA_ETHERNET is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_AMD_XGBE is not set
+CONFIG_NET_VENDOR_AQUANTIA=y
+# CONFIG_AQTION is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_SYSTEMPORT is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_THUNDER_NIC_RGX is not set
+CONFIG_CAVIUM_PTP=y
+# CONFIG_LIQUIDIO is not set
+# CONFIG_LIQUIDIO_VF is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+CONFIG_NET_VENDOR_CORTINA=y
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_HUAWEI=y
+# CONFIG_HINIC is not set
+CONFIG_NET_VENDOR_I825XX=y
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_ICE is not set
+# CONFIG_FM10K is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+# CONFIG_MLXFW is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MICROSEMI=y
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETERION=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP is not set
+CONFIG_NET_VENDOR_NI=y
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_VENDOR_PACKET_ENGINES=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+# CONFIG_QCOM_EMAC is not set
+# CONFIG_RMNET is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SOLARFLARE=y
+# CONFIG_SFC is not set
+# CONFIG_SFC_FALCON is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_SOCIONEXT=y
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+# CONFIG_DWC_XLGMAC is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_MDIO_DEVICE is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+CONFIG_WLAN_VENDOR_QUANTENNA=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+CONFIG_NET_FAILOVER=y
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_SAMSUNG is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+# CONFIG_SERIAL_DEV_BUS is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+# CONFIG_RANDOM_TRUST_CPU is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+# CONFIG_PPS is not set
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PINCTRL is not set
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+# CONFIG_POWER_AVS is not set
+# CONFIG_POWER_RESET is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_ASPEED is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NPCM7XX is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+# CONFIG_THERMAL_STATISTICS is not set
+CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_MFD_MADERA is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+CONFIG_RC_CORE=y
+CONFIG_RC_MAP=y
+# CONFIG_LIRC is not set
+CONFIG_RC_DECODERS=y
+CONFIG_IR_NEC_DECODER=y
+CONFIG_IR_RC5_DECODER=y
+CONFIG_IR_RC6_DECODER=y
+CONFIG_IR_JVC_DECODER=y
+CONFIG_IR_SONY_DECODER=y
+CONFIG_IR_SANYO_DECODER=y
+CONFIG_IR_SHARP_DECODER=y
+CONFIG_IR_MCE_KBD_DECODER=y
+CONFIG_IR_XMP_DECODER=y
+# CONFIG_IR_IMON_DECODER is not set
+# CONFIG_RC_DEVICES is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_DRM_DP_CEC is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# AMD Library routines
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SND is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_COUGAR is not set
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+CONFIG_HID_ITE=y
+# CONFIG_HID_JABRA is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+# CONFIG_HID_MAYFLASH is not set
+CONFIG_HID_REDRAGON=y
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_NTI is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEAM is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_UDRAW_PS3 is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+
+#
+# Intel ISH HID support
+#
+# CONFIG_INTEL_ISH_HID is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+CONFIG_USB_PCI=y
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_TYPEC is not set
+# CONFIG_USB_ULPI_BUS is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACER_WIRELESS is not set
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMBIOS is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_GPD_POCKET_FAN is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_VBTN is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+CONFIG_PMC_ATOM=y
+# CONFIG_CHROME_PLATFORMS is not set
+# CONFIG_MELLANOX_PLATFORM is not set
+CONFIG_CLKDEV_LOOKUP=y
+CONFIG_HAVE_CLK_PREPARE=y
+CONFIG_COMMON_CLK=y
+
+#
+# Common Clock Framework
+#
+# CONFIG_HWSPINLOCK is not set
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_REMOTEPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_RPMSG_VIRTIO is not set
+# CONFIG_SOUNDWIRE is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Amlogic SoC drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+
+#
+# NXP/Freescale QorIQ SoC drivers
+#
+
+#
+# i.MX SoC drivers
+#
+
+#
+# Qualcomm SoC drivers
+#
+# CONFIG_SOC_TI is not set
+
+#
+# Xilinx SoC drivers
+#
+# CONFIG_XILINX_VCU is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+
+#
+# IRQ chip support
+#
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_DAX is not set
+# CONFIG_NVMEM is not set
+
+#
+# HW tracing support
+#
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+# CONFIG_FPGA is not set
+# CONFIG_UNISYS_VISORBUS is not set
+# CONFIG_SIOX is not set
+# CONFIG_SLIMBUS is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_FS_IOMAP=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_AUTOFS_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+CONFIG_MEMFD_CREATE=y
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_ECRYPT_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Security options
+#
+CONFIG_KEYS=y
+# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_BIG_KEYS is not set
+# CONFIG_ENCRYPTED_KEYS is not set
+# CONFIG_KEY_DH_OPERATIONS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+# CONFIG_HARDENED_USERCOPY is not set
+# CONFIG_FORTIFY_SOURCE is not set
+# CONFIG_STATIC_USERMODEHELPER is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_ECDH=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_MCRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_SIMD=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+# CONFIG_CRYPTO_AEGIS128 is not set
+# CONFIG_CRYPTO_AEGIS128L is not set
+# CONFIG_CRYPTO_AEGIS256 is not set
+# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_AEGIS256_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_MORUS640 is not set
+# CONFIG_CRYPTO_MORUS640_SSE2 is not set
+# CONFIG_CRYPTO_MORUS1280 is not set
+# CONFIG_CRYPTO_MORUS1280_SSE2 is not set
+# CONFIG_CRYPTO_MORUS1280_AVX2 is not set
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+# CONFIG_CRYPTO_CFB is not set
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256_MB=y
+CONFIG_CRYPTO_SHA512_MB=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_SM3=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_TI is not set
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_SM4=y
+# CONFIG_CRYPTO_SPECK is not set
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+# CONFIG_CRYPTO_ZSTD is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+CONFIG_CRYPTO_HASH_INFO=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+
+#
+# Certificates for signature checking
+#
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
+# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_RATIONAL=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+# CONFIG_CRC64 is not set
+# CONFIG_CRC4 is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DMA_DIRECT_OPS=y
+CONFIG_SWIOTLB=y
+CONFIG_SGL_ALLOC=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+CONFIG_MPILIB=y
+CONFIG_OID_REGISTRY=y
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
+CONFIG_SBITMAP=y
+# CONFIG_STRING_SELFTEST is not set
+
+#
+# Kernel hacking
+#
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
+CONFIG_CONSOLE_LOGLEVEL_QUIET=4
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_STACK_VALIDATION=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+CONFIG_CC_HAS_SANCOV_TRACE_PC=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_SOFTLOCKUP_DETECTOR is not set
+CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+CONFIG_LOCK_DEBUGGING_SUPPORT=y
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_WW_MUTEX_SELFTEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_PREEMPTIRQ_EVENTS is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_HWLAT_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+CONFIG_RUNTIME_TESTING_MENU=y
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_TEST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_INTERVAL_TREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_BITFIELD is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_OVERFLOW is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_TEST_IDA is not set
+# CONFIG_FIND_BIT_BENCHMARK is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_SYSCTL is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_EARLY_PRINTK_USB_XDBC is not set
+# CONFIG_X86_PTDUMP is not set
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+CONFIG_UNWINDER_ORC=y
+# CONFIG_UNWINDER_FRAME_POINTER is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
index 0bf1eb596..c8ff289db 100644
--- a/testing/config/kvm/alice.xml
+++ b/testing/config/kvm/alice.xml
@@ -1,13 +1,13 @@
<domain type='kvm'>
<name>alice</name>
<uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
- <memory unit='KiB'>131072</memory>
- <currentMemory unit='KiB'>131072</currentMemory>
+ <memory unit='KiB'>163840</memory>
+ <currentMemory unit='KiB'>163840</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
index f2425b222..0b433a437 100644
--- a/testing/config/kvm/bob.xml
+++ b/testing/config/kvm/bob.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
index 51a7d8336..3eb163f6c 100644
--- a/testing/config/kvm/carol.xml
+++ b/testing/config/kvm/carol.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
index 9e26b9629..d8d05a9e9 100644
--- a/testing/config/kvm/dave.xml
+++ b/testing/config/kvm/dave.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
index 954af7aa1..943ab35b5 100644
--- a/testing/config/kvm/moon.xml
+++ b/testing/config/kvm/moon.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<cpu>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
index c2d26737c..893a4aa37 100644
--- a/testing/config/kvm/sun.xml
+++ b/testing/config/kvm/sun.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<cpu>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
index acc0d361a..a0b60171b 100644
--- a/testing/config/kvm/venus.xml
+++ b/testing/config/kvm/venus.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
index b21cb7b08..59d7184f6 100644
--- a/testing/config/kvm/winnetou.xml
+++ b/testing/config/kvm/winnetou.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/do-tests b/testing/do-tests
index 52d0d70eb..fad3af8cd 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -51,11 +51,15 @@ subdir_cnt="0"
##############################################################################
# parse optional arguments
#
-while getopts "v" opt
+while getopts "vt" opt
do
case "$opt" in
v)
verbose=YES
+ timestamps=YES
+ ;;
+ t)
+ timestamps=YES
;;
esac
done
@@ -64,7 +68,7 @@ shift $((OPTIND-1))
function print_time()
{
- [ "$verbose" == "YES" ] && echo "$(date +%T.%N) ~ "
+ [ "$timestamps" == "YES" ] && echo "$(date +%T.%N) ~ "
}
##############################################################################
@@ -689,21 +693,25 @@ do
do
eval HOSTLOGIN=root@\$ipv4_${host}
- for file in clients.conf eap.conf radiusd.conf proxy.conf users
+ RADIUS_DIR=/etc/freeradius/3.0
+ RADIUS_EAP_FILE=mods-enabled/eap
+ RADIUS_EAP_NAME=eap
+ if [ "$BASEIMGSUITE" == "jessie" ]
+ then
+ RADIUS_DIR=/etc/freeradius
+ RADIUS_EAP_FILE=eap.conf
+ RADIUS_EAP_NAME=eap.conf
+ fi
+
+ for file in clients.conf radiusd.conf proxy.conf users sites-enabled/default sites-enabled/inner-tunnel $RADIUS_EAP_FILE
do
- scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \
- $TESTRESULTDIR/${host}.$file > /dev/null 2>&1
+ scp $SSHCONF $HOSTLOGIN:$RADIUS_DIR/$file \
+ $TESTRESULTDIR/${host}.$(basename $file) > /dev/null 2>&1
done
- scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
- $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1
-
scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \
$TESTRESULTDIR/${host}.radius.log > /dev/null 2>&1
- ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
- >> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null
-
chmod a+r $TESTRESULTDIR/*
cat >> $TESTRESULTDIR/index.html <<@EOF
<h3>$host</h3>
@@ -713,14 +721,14 @@ do
<ul>
<li><a href="$host.clients.conf">clients.conf</a></li>
<li><a href="$host.radiusd.conf">radiusd.conf</a></li>
- <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+ <li><a href="$host.$RADIUS_EAP_NAME">$RADIUS_EAP_NAME</a></li>
</ul>
</td>
<td valign="top">
<ul>
- <li><a href="$host.eap.conf">eap.conf</a></li>
+ <li><a href="$host.default">sites-enabled/default</a></li>
+ <li><a href="$host.inner-tunnel">sites-enabled/inner-tunnel</a></li>
<li><a href="$host.radius.log">radius.log</a></li>
- <li><a href="$host.daemon.log">daemon.log</a></li>
</ul>
</td>
<td valign="top">
diff --git a/testing/hosts/alice/etc/freeradius/3.0/clients.conf b/testing/hosts/alice/etc/freeradius/3.0/clients.conf
new file mode 100644
index 000000000..7fad83c33
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/3.0/clients.conf
@@ -0,0 +1,5 @@
+client moon {
+ ipaddr = 10.1.0.1
+ secret = gv6URkSs
+ require_message_authenticator = yes
+}
diff --git a/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf
new file mode 100644
index 000000000..6139bb90f
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf
@@ -0,0 +1,99 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius/3.0
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = freeradius
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${sysconfdir}/raddb/certs
+cadir = ${sysconfdir}/raddb/certs
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# correct_escapes: use correct backslash escaping
+correct_escapes = true
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Logging section
+log {
+ destination = files
+ colourise = yes
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# SECURITY CONFIGURATION
+security {
+ user = freerad
+ group = freerad
+ allow_core_dumps = no
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+ auto_limit_acct = no
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/mods-enabled/
+}
+
+# Policies
+policy {
+ $INCLUDE policy.d/
+}
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary
index 59a874b3e..4c2c7ebb4 100644
--- a/testing/hosts/alice/etc/freeradius/dictionary
+++ b/testing/hosts/alice/etc/freeradius/dictionary
@@ -11,7 +11,7 @@
#
# The filename given here should be an absolute path.
#
-$INCLUDE /usr/local/share/freeradius/dictionary
+$INCLUDE /usr/share/freeradius/dictionary
#
# Place additional attributes or $INCLUDEs here. They will
diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf
index e4f721738..bcdc369d2 100644
--- a/testing/hosts/alice/etc/freeradius/radiusd.conf
+++ b/testing/hosts/alice/etc/freeradius/radiusd.conf
@@ -101,8 +101,6 @@ thread pool {
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
- $INCLUDE sql.conf
- $INCLUDE sql/mysql/counter.conf
}
# Instantiation
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
index 46b1f0231..cc6f43541 100644
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -1,7 +1,7 @@
Port 22
Protocol 2
+Ciphers aes128-gcm@openssh.com
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation no
PermitRootLogin yes
diff --git a/testing/hosts/default/usr/local/bin/init_collector b/testing/hosts/default/usr/local/bin/init_collector
index c522de874..df1462862 100755
--- a/testing/hosts/default/usr/local/bin/init_collector
+++ b/testing/hosts/default/usr/local/bin/init_collector
@@ -1,4 +1,6 @@
#! /bin/sh
cat /usr/local/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/db.d/collector.db
+sed -i "s:DEBIAN_VERSION:`cat /etc/debian_version`:" /etc/pts/collector.sql
+cat /etc/pts/collector.sql | sqlite3 /etc/db.d/collector.db
LEAK_DETECTIVE_DISABLE=1 /usr/local/sbin/sw-collector
diff --git a/testing/hosts/venus/etc/default/isc-dhcp-server b/testing/hosts/venus/etc/default/isc-dhcp-server
new file mode 100644
index 000000000..57a5c81f9
--- /dev/null
+++ b/testing/hosts/venus/etc/default/isc-dhcp-server
@@ -0,0 +1,3 @@
+# explicitly set an interface to avoid having to configure and run DHCPv6
+INTERFACESv4="eth0"
+INTERFACESv6=""
diff --git a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
index 68438a656..e362e138c 100644
--- a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
+++ b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
@@ -2,3 +2,4 @@ AddType text/plain .conf .log .sql .users
AddType text/plain .secrets .listall .statusall
AddType text/plain .conns .certs .sas .pools .authorities .stats
AddType text/plain .policy .state .route .iptables .iptables-save
+AddType text/plain .eap .default .inner-tunnel
diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
deleted file mode 100644
index 68438a656..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
+++ /dev/null
@@ -1,4 +0,0 @@
-AddType text/plain .conf .log .sql .users
-AddType text/plain .secrets .listall .statusall
-AddType text/plain .conns .certs .sas .pools .authorities .stats
-AddType text/plain .policy .state .route .iptables .iptables-save
diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
index 0772c34ea..fb9e98424 100644
--- a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
+++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
@@ -12,13 +12,7 @@ AddHandler cgi-script .cgi
DirectoryIndex ocsp.cgi
<Directory "/etc/openssl/ocsp">
Options +ExecCGI
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Directory>
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
@@ -34,13 +28,7 @@ Listen 8881
DirectoryIndex ocsp.cgi
<Directory "/etc/openssl/research/ocsp">
Options +ExecCGI
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Directory>
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
@@ -56,13 +44,7 @@ Listen 8882
DirectoryIndex ocsp.cgi
<Directory "/etc/openssl/sales/ocsp">
Options +ExecCGI
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Directory>
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
index 260171cfd..b610836fc 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME = /etc/openssl/duck
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -154,7 +146,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
index d31752e30..ddd94d061 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl/ecdsa
+CAHOME = /etc/openssl/ecdsa
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -156,7 +148,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl
diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
index 5985b5650..170daba56 100644
--- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME = /etc/openssl/monster
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -156,7 +148,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan-monster.crl
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index 9078b2043..b1ef68a11 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl
+CAHOME = /etc/openssl
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -157,7 +149,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index 7099413f0..f5ae64e36 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME = /etc/openssl/research
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -155,7 +147,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
crlDistributionPoints = URI:http://crl.strongswan.org/research.crl
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
index 12da734aa..11ff172ac 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl/rfc3779
+CAHOME = /etc/openssl/rfc3779
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -113,12 +105,12 @@ organizationName = Organization Name (eg, company)
organizationName_default = Linux strongSwan
0.organizationalUnitName = Organizational Unit Name (eg, section)
-0.organizationalUnitName_default = RFC3779
+0.organizationalUnitName_default = RFC3779
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -173,7 +165,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index f3ec7e168..f1d080c0b 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl/sales
+CAHOME = /etc/openssl/sales
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -155,7 +147,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl
#authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 95453d620..7c30758bf 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -12,29 +12,34 @@ running_any $STRONGSWANHOSTS && die "Please stop test environment before running
check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
# package includes/excludes
-INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less
+INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales
INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev
-INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen
+INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop
INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev
INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev
INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https
-INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
+INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
+INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute
case "$BASEIMGSUITE" in
-wheezy)
- INC=$INC,libxerces-c2-dev,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
- INC=$INC,libalog0.4.1-base-dev
- ;;
jessie)
- INC=$INC,libxerces-c-dev,libahven4-dev,libxmlada5-dev,libgmpada5-dev
- INC=$INC,libalog1-dev,libgcrypt20-dev
+ INC=$INC,libahven4-dev,libxmlada5-dev,libgmpada5-dev
+ INC=$INC,libalog1-dev
+ ;;
+stretch)
+ INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev
+ INC=$INC,libalog2-dev
;;
*)
echo_warn "Package list for '$BASEIMGSUITE' might has to be updated"
esac
-SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
+SERVICES="apache2 dbus isc-dhcp-server slapd bind9 freeradius"
INC=$INC,${SERVICES// /,}
+# packages to install via APT, for SWIMA tests
+APT="tmux"
+# additional services to disable
+SERVICES="$SERVICES systemd-timesyncd.service"
CACHEDIR=$BUILDDIR/cache
APTCACHE=$LOOPDIR/var/cache/apt/archives
@@ -86,6 +91,13 @@ execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $
execute "mount -t proc none $LOOPDIR/proc" 0
do_on_exit graceful_umount $LOOPDIR/proc
+log_action "Generating locales"
+cat > $LOOPDIR/etc/locale.gen << EOF
+de_CH.UTF-8 UTF-8
+en_US.UTF-8 UTF-8
+EOF
+execute_chroot "locale-gen"
+
log_action "Downloading signing key for custom apt repo"
execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key"
log_action "Installing signing key for custom apt repo"
@@ -107,18 +119,15 @@ log_status $?
log_action "Update package sources"
execute_chroot "apt-get update"
+log_action "Install packages via APT"
+execute_chroot "apt-get -y install $APT"
log_action "Install packages from custom repo"
execute_chroot "apt-get -y upgrade"
for service in $SERVICES
do
log_action "Disabling service $service"
- if [ "$BASEIMGSUITE" == "wheezy" ]
- then
- execute_chroot "update-rc.d -f $service remove"
- else
- execute_chroot "systemctl disable $service"
- fi
+ execute_chroot "systemctl disable $service"
done
log_action "Disabling root password"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index 7dd7188c2..5116d095e 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -76,12 +76,7 @@ do
for service in "apache2 slapd bind9"
do
- if [ "$BASEIMGSUITE" == "wheezy" ]
- then
- execute_chroot "update-rc.d $service defaults" 0
- else
- execute_chroot "systemctl enable $service" 0
- fi
+ execute_chroot "systemctl enable $service" 0
done
fi
sync
diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage
index a84104a90..c6c41ada3 100755
--- a/testing/scripts/build-rootimage
+++ b/testing/scripts/build-rootimage
@@ -55,8 +55,11 @@ do_on_exit umount $LOOPDIR/root/shared
echo "Installing software from source"
RECPDIR=$DIR/recipes
+if [ -d "$RECPDIR/patches" ]
+then
+ execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
+fi
RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
-execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
for r in $RECIPES
do
cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk
deleted file mode 100644
index b835958b7..000000000
--- a/testing/scripts/recipes/001_libtnc.mk
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/make
-
-PV = 1.25
-PKG = libtnc-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
- --sysconfdir=/etc
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfz $(TAR)
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-unpacked
- cd $(PKG) && ./configure $(CONFIG_OPTS)
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG) && make install
diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk
deleted file mode 100644
index d4ed4f99c..000000000
--- a/testing/scripts/recipes/002_tnc-fhh.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/usr/bin/make
-
-PKG = fhhtnc
-SRC = git://github.com/trustatfhh/tnc-fhh.git
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
- -DCOMPONENT=all \
- -DNAL=8021x
-
-PATCHES = \
- tnc-fhh-tncsim
-
-all: install
-
-.$(PKG)-cloned:
- git clone $(SRC) $(PKG)
- mkdir $(PKG)/build
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-cloned
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cd $(PKG)/build && cmake $(CONFIG_OPTS) ../
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG)/build && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG)/build && make install
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
deleted file mode 100644
index 71cfc238c..000000000
--- a/testing/scripts/recipes/003_freeradius.mk
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/make
-
-PV = 2.2.8
-PKG = freeradius-server-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = ftp://ftp.freeradius.org/pub/freeradius/old/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
- --with-raddbdir=/etc/freeradius \
- --sysconfdir=/etc \
- --with-logdir=/var/log/freeradius \
- --enable-developer \
- --with-experimental-modules
-
-PATCHES = \
- freeradius-eap-sim-identity \
- freeradius-tnc-fhh
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfj $(TAR)
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cd $(PKG) && ./configure $(CONFIG_OPTS)
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_hostapd.mk b/testing/scripts/recipes/004_hostapd.mk
deleted file mode 100644
index 0acd428c9..000000000
--- a/testing/scripts/recipes/004_hostapd.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/make
-
-PV = 2.0
-PKG = hostapd-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://w1.fi/releases/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
- hostapd-config
-
-SUBDIR = hostapd
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfz $(TAR)
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk
deleted file mode 100644
index 4cc870c12..000000000
--- a/testing/scripts/recipes/004_wpa_supplicant.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/make
-
-PV = 2.0
-PKG = wpa_supplicant-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://w1.fi/releases/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
- wpa_supplicant-eap-tnc
-
-SUBDIR = wpa_supplicant
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfz $(TAR)
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk
index a6af5df5c..b311c0a99 100644
--- a/testing/scripts/recipes/005_anet.mk
+++ b/testing/scripts/recipes/005_anet.mk
@@ -8,14 +8,15 @@ PREFIX = /usr/local/ada
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make LIBRARY_KIND=static
@touch $@
diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk
index 5f2e207c8..ed2a62396 100644
--- a/testing/scripts/recipes/006_tkm-rpc.mk
+++ b/testing/scripts/recipes/006_tkm-rpc.mk
@@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk
index 7899f6dec..57a106dea 100644
--- a/testing/scripts/recipes/007_x509-ada.mk
+++ b/testing/scripts/recipes/007_x509-ada.mk
@@ -8,14 +8,15 @@ PREFIX = /usr/local/ada
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make tests && make
@touch $@
diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk
index ad1cbb2bc..64ada0e45 100644
--- a/testing/scripts/recipes/008_xfrm-ada.mk
+++ b/testing/scripts/recipes/008_xfrm-ada.mk
@@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk
index a7c9d31cc..bdf5b1211 100644
--- a/testing/scripts/recipes/009_xfrm-proxy.mk
+++ b/testing/scripts/recipes/009_xfrm-proxy.mk
@@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
index 03ee5b526..2651660db 100644
--- a/testing/scripts/recipes/010_tkm.mk
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk
index ef0f6d066..215e92365 100644
--- a/testing/scripts/recipes/011_botan.mk
+++ b/testing/scripts/recipes/011_botan.mk
@@ -2,8 +2,7 @@
PKG = botan
SRC = https://github.com/randombit/$(PKG).git
-# will have to be changed to the 2.8.0 tag later
-REV = 1872f899716854927ecc68022fac318735be8824
+REV = 2.8.0
NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
@@ -15,14 +14,15 @@ CONFIG_OPTS = \
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && python ./configure.py $(CONFIG_OPTS) && make -j $(NUM_CPUS)
@touch $@
diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
deleted file mode 100644
index 1ab95ecc6..000000000
--- a/testing/scripts/recipes/patches/freeradius-eap-sim-identity
+++ /dev/null
@@ -1,30 +0,0 @@
---- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:03:05.081225276 +0100
-+++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:46:59.746289881 +0100
-@@ -246,14 +246,21 @@
- newvp->vp_integer = ess->sim_id++;
- pairreplace(outvps, newvp);
-
-+ ess->keys.identitylen = strlen(handler->identity);
-+ memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
-+
- /* make a copy of the identity */
- newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY);
-- if (newvp) {
-- ess->keys.identitylen = newvp->length;
-- memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
-- } else {
-- ess->keys.identitylen = strlen(handler->identity);
-- memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
-+ if (newvp && newvp->length > 2) {
-+ uint16_t len;
-+
-+ memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
-+ len = ntohs(len);
-+ if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
-+ ess->keys.identitylen = len;
-+ memcpy(ess->keys.identity, newvp->vp_octets + 2,
-+ ess->keys.identitylen);
-+ }
- }
-
- /* all set, calculate keys! */
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
deleted file mode 100644
index 26a233d48..000000000
--- a/testing/scripts/recipes/patches/freeradius-tnc-fhh
+++ /dev/null
@@ -1,6687 +0,0 @@
-diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary
---- freeradius-server-2.2.0.orig/share/dictionary 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/share/dictionary 2012-12-04 19:39:42.261423097 +0100
-@@ -196,6 +196,7 @@
- $INCLUDE dictionary.starent
- $INCLUDE dictionary.symbol
- $INCLUDE dictionary.telebit
-+$INCLUDE dictionary.tncfhh
- $INCLUDE dictionary.terena
- $INCLUDE dictionary.trapeze
- $INCLUDE dictionary.tropos
-diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh
---- freeradius-server-2.2.0.orig/share/dictionary.tncfhh 1970-01-01 01:00:00.000000000 +0100
-+++ freeradius-server-2.2.0/share/dictionary.tncfhh 2012-12-04 19:39:49.645421869 +0100
-@@ -0,0 +1,20 @@
-+# -*- text -*-
-+# Dictionary for the tnc@fhh Server.
-+#
-+# Website: http://trust.inform.fh-hannover.de
-+#
-+# Version: 0.8.4
-+# Author: Bastian Hellmann
-+# Email: trust@f4-i.fh-hannover.de
-+#
-+
-+VENDOR tncfhh 10000
-+BEGIN-VENDOR tncfhh
-+
-+ATTRIBUTE TNC-Status 1 integer
-+
-+VALUE TNC-Status Access 0
-+VALUE TNC-Status Isolate 1
-+VALUE TNC-Status None 2
-+
-+END-VENDOR tncfhh
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-12-04 19:38:00.237420970 +0100
-@@ -1,61 +1,84 @@
- #! /bin/sh
- # From configure.in Revision.
- # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.61.
-+# Generated by GNU Autoconf 2.67.
-+#
- #
- # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-+# Foundation, Inc.
-+#
-+#
- # This configure script is free software; the Free Software Foundation
- # gives unlimited permission to copy, distribute and modify it.
--## --------------------- ##
--## M4sh Initialization. ##
--## --------------------- ##
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
-
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
- emulate sh
- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
- # is contrary to our usage. Disable this feature.
- alias -g '${1+"$@"}'='"$@"'
- setopt NO_GLOB_SUBST
- else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
-+ case `(set -o) 2>/dev/null` in #(
-+ *posix*) :
-+ set -o posix ;; #(
-+ *) :
-+ ;;
- esac
--
- fi
-
-
--
--
--# PATH needs CR
--# Avoid depending upon Character Ranges.
--as_cr_letters='abcdefghijklmnopqrstuvwxyz'
--as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
--as_cr_Letters=$as_cr_letters$as_cr_LETTERS
--as_cr_digits='0123456789'
--as_cr_alnum=$as_cr_Letters$as_cr_digits
--
--# The user is always right.
--if test "${PATH_SEPARATOR+set}" != set; then
-- echo "#! /bin/sh" >conf$$.sh
-- echo "exit 0" >>conf$$.sh
-- chmod +x conf$$.sh
-- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-- PATH_SEPARATOR=';'
-+as_nl='
-+'
-+export as_nl
-+# Printing a long string crashes Solaris 7 /usr/bin/printf.
-+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-+# Prefer a ksh shell builtin over an external printf program on Solaris,
-+# but without wasting forks for bash or zsh.
-+if test -z "$BASH_VERSION$ZSH_VERSION" \
-+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='print -r --'
-+ as_echo_n='print -rn --'
-+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='printf %s\n'
-+ as_echo_n='printf %s'
-+else
-+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-+ as_echo_n='/usr/ucb/echo -n'
- else
-- PATH_SEPARATOR=:
-+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-+ as_echo_n_body='eval
-+ arg=$1;
-+ case $arg in #(
-+ *"$as_nl"*)
-+ expr "X$arg" : "X\\(.*\\)$as_nl";
-+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-+ esac;
-+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-+ '
-+ export as_echo_n_body
-+ as_echo_n='sh -c $as_echo_n_body as_echo'
- fi
-- rm -f conf$$.sh
-+ export as_echo_body
-+ as_echo='sh -c $as_echo_body as_echo'
- fi
-
--# Support unset when possible.
--if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-- as_unset=unset
--else
-- as_unset=false
-+# The user is always right.
-+if test "${PATH_SEPARATOR+set}" != set; then
-+ PATH_SEPARATOR=:
-+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-+ PATH_SEPARATOR=';'
-+ }
- fi
-
-
-@@ -64,20 +87,18 @@
- # there to prevent editors from complaining about space-tab.
- # (If _AS_PATH_WALK were called with IFS unset, it would disable word
- # splitting by setting IFS to empty value.)
--as_nl='
--'
- IFS=" "" $as_nl"
-
- # Find who we are. Look in the path if we contain no directory separator.
--case $0 in
-+case $0 in #((
- *[\\/]* ) as_myself=$0 ;;
- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
- for as_dir in $PATH
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
--done
-+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-+ done
- IFS=$as_save_IFS
-
- ;;
-@@ -88,354 +109,321 @@
- as_myself=$0
- fi
- if test ! -f "$as_myself"; then
-- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-- { (exit 1); exit 1; }
-+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-+ exit 1
- fi
-
--# Work around bugs in pre-3.0 UWIN ksh.
--for as_var in ENV MAIL MAILPATH
--do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+# Unset variables that we do not need and which cause bugs (e.g. in
-+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
-+# suppresses any "Segmentation fault" message there. '((' could
-+# trigger a bug in pdksh 5.2.14.
-+for as_var in BASH_ENV ENV MAIL MAILPATH
-+do eval test x\${$as_var+set} = xset \
-+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
- done
- PS1='$ '
- PS2='> '
- PS4='+ '
-
- # NLS nuisances.
--for as_var in \
-- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-- LC_TELEPHONE LC_TIME
--do
-- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-- eval $as_var=C; export $as_var
-- else
-- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-- fi
--done
--
--# Required to use basename.
--if expr a : '\(a\)' >/dev/null 2>&1 &&
-- test "X`expr 00001 : '.*\(...\)'`" = X001; then
-- as_expr=expr
--else
-- as_expr=false
--fi
--
--if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-- as_basename=basename
--else
-- as_basename=false
--fi
--
--
--# Name of the executable.
--as_me=`$as_basename -- "$0" ||
--$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-- X"$0" : 'X\(//\)$' \| \
-- X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X/"$0" |
-- sed '/^.*\/\([^/][^/]*\)\/*$/{
-- s//\1/
-- q
-- }
-- /^X\/\(\/\/\)$/{
-- s//\1/
-- q
-- }
-- /^X\/\(\/\).*/{
-- s//\1/
-- q
-- }
-- s/.*/./; q'`
-+LC_ALL=C
-+export LC_ALL
-+LANGUAGE=C
-+export LANGUAGE
-
- # CDPATH.
--$as_unset CDPATH
--
-+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
- if test "x$CONFIG_SHELL" = x; then
-- if (eval ":") 2>/dev/null; then
-- as_have_required=yes
-+ as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
-+ emulate sh
-+ NULLCMD=:
-+ # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
-+ # is contrary to our usage. Disable this feature.
-+ alias -g '\${1+\"\$@\"}'='\"\$@\"'
-+ setopt NO_GLOB_SUBST
- else
-- as_have_required=no
-+ case \`(set -o) 2>/dev/null\` in #(
-+ *posix*) :
-+ set -o posix ;; #(
-+ *) :
-+ ;;
-+esac
- fi
--
-- if test $as_have_required = yes && (eval ":
--(as_func_return () {
-- (exit \$1)
--}
--as_func_success () {
-- as_func_return 0
--}
--as_func_failure () {
-- as_func_return 1
--}
--as_func_ret_success () {
-- return 0
--}
--as_func_ret_failure () {
-- return 1
--}
-+"
-+ as_required="as_fn_return () { (exit \$1); }
-+as_fn_success () { as_fn_return 0; }
-+as_fn_failure () { as_fn_return 1; }
-+as_fn_ret_success () { return 0; }
-+as_fn_ret_failure () { return 1; }
-
- exitcode=0
--if as_func_success; then
-- :
--else
-- exitcode=1
-- echo as_func_success failed.
--fi
--
--if as_func_failure; then
-- exitcode=1
-- echo as_func_failure succeeded.
--fi
--
--if as_func_ret_success; then
-- :
--else
-- exitcode=1
-- echo as_func_ret_success failed.
--fi
--
--if as_func_ret_failure; then
-- exitcode=1
-- echo as_func_ret_failure succeeded.
--fi
--
--if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-- :
-+as_fn_success || { exitcode=1; echo as_fn_success failed.; }
-+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
-+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
-+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
-+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
-+
-+else
-+ exitcode=1; echo positional parameters were not saved.
-+fi
-+test x\$exitcode = x0 || exit 1"
-+ as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
-+ as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
-+ eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
-+ test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
-+test \$(( 1 + 1 )) = 2 || exit 1"
-+ if (eval "$as_required") 2>/dev/null; then :
-+ as_have_required=yes
- else
-- exitcode=1
-- echo positional parameters were not saved.
-+ as_have_required=no
- fi
-+ if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
-
--test \$exitcode = 0) || { (exit 1); exit 1; }
--
--(
-- as_lineno_1=\$LINENO
-- as_lineno_2=\$LINENO
-- test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
-- test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
--") 2> /dev/null; then
-- :
- else
-- as_candidate_shells=
-- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+as_found=false
- for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- case $as_dir in
-+ as_found=:
-+ case $as_dir in #(
- /*)
- for as_base in sh bash ksh sh5; do
-- as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
-+ # Try only shells that exist, to save several forks.
-+ as_shell=$as_dir/$as_base
-+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
-+ CONFIG_SHELL=$as_shell as_have_required=yes
-+ if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
-+ break 2
-+fi
-+fi
- done;;
- esac
-+ as_found=false
- done
-+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
-+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
-+ CONFIG_SHELL=$SHELL as_have_required=yes
-+fi; }
- IFS=$as_save_IFS
-
-
-- for as_shell in $as_candidate_shells $SHELL; do
-- # Try only shells that exist, to save several forks.
-- if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-- { ("$as_shell") 2> /dev/null <<\_ASEOF
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-- emulate sh
-- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-- # is contrary to our usage. Disable this feature.
-- alias -g '${1+"$@"}'='"$@"'
-- setopt NO_GLOB_SUBST
--else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
--esac
--
-+ if test "x$CONFIG_SHELL" != x; then :
-+ # We cannot yet assume a decent shell, so we have to provide a
-+ # neutralization value for shells without unset; and this also
-+ # works around shells that cannot unset nonexistent variables.
-+ BASH_ENV=/dev/null
-+ ENV=/dev/null
-+ (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-+ export CONFIG_SHELL
-+ exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
-+fi
-+
-+ if test x$as_have_required = xno; then :
-+ $as_echo "$0: This script requires a shell more modern than all"
-+ $as_echo "$0: the shells that I found on your system."
-+ if test x${ZSH_VERSION+set} = xset ; then
-+ $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
-+ $as_echo "$0: be upgraded to zsh 4.3.4 or later."
-+ else
-+ $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
-+$0: including any error possibly output before this
-+$0: message. Then install a modern shell, or manually run
-+$0: the script under such a shell if you do have one."
-+ fi
-+ exit 1
- fi
--
--
--:
--_ASEOF
--}; then
-- CONFIG_SHELL=$as_shell
-- as_have_required=yes
-- if { "$as_shell" 2> /dev/null <<\_ASEOF
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-- emulate sh
-- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-- # is contrary to our usage. Disable this feature.
-- alias -g '${1+"$@"}'='"$@"'
-- setopt NO_GLOB_SUBST
--else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
--esac
--
- fi
-+fi
-+SHELL=${CONFIG_SHELL-/bin/sh}
-+export SHELL
-+# Unset more variables known to interfere with behavior of common tools.
-+CLICOLOR_FORCE= GREP_OPTIONS=
-+unset CLICOLOR_FORCE GREP_OPTIONS
-
--
--:
--(as_func_return () {
-- (exit $1)
--}
--as_func_success () {
-- as_func_return 0
--}
--as_func_failure () {
-- as_func_return 1
--}
--as_func_ret_success () {
-- return 0
--}
--as_func_ret_failure () {
-- return 1
-+## --------------------- ##
-+## M4sh Shell Functions. ##
-+## --------------------- ##
-+# as_fn_unset VAR
-+# ---------------
-+# Portably unset VAR.
-+as_fn_unset ()
-+{
-+ { eval $1=; unset $1;}
- }
-+as_unset=as_fn_unset
-
--exitcode=0
--if as_func_success; then
-- :
--else
-- exitcode=1
-- echo as_func_success failed.
--fi
-+# as_fn_set_status STATUS
-+# -----------------------
-+# Set $? to STATUS, without forking.
-+as_fn_set_status ()
-+{
-+ return $1
-+} # as_fn_set_status
-
--if as_func_failure; then
-- exitcode=1
-- echo as_func_failure succeeded.
--fi
-+# as_fn_exit STATUS
-+# -----------------
-+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
-+as_fn_exit ()
-+{
-+ set +e
-+ as_fn_set_status $1
-+ exit $1
-+} # as_fn_exit
-+
-+# as_fn_mkdir_p
-+# -------------
-+# Create "$as_dir" as a directory, including parents if necessary.
-+as_fn_mkdir_p ()
-+{
-
--if as_func_ret_success; then
-- :
--else
-- exitcode=1
-- echo as_func_ret_success failed.
--fi
-+ case $as_dir in #(
-+ -*) as_dir=./$as_dir;;
-+ esac
-+ test -d "$as_dir" || eval $as_mkdir_p || {
-+ as_dirs=
-+ while :; do
-+ case $as_dir in #(
-+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-+ *) as_qdir=$as_dir;;
-+ esac
-+ as_dirs="'$as_qdir' $as_dirs"
-+ as_dir=`$as_dirname -- "$as_dir" ||
-+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+ X"$as_dir" : 'X\(//\)[^/]' \| \
-+ X"$as_dir" : 'X\(//\)$' \| \
-+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_dir" |
-+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)[^/].*/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\).*/{
-+ s//\1/
-+ q
-+ }
-+ s/.*/./; q'`
-+ test -d "$as_dir" && break
-+ done
-+ test -z "$as_dirs" || eval "mkdir $as_dirs"
-+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
-
--if as_func_ret_failure; then
-- exitcode=1
-- echo as_func_ret_failure succeeded.
--fi
-
--if ( set x; as_func_ret_success y && test x = "$1" ); then
-- :
-+} # as_fn_mkdir_p
-+# as_fn_append VAR VALUE
-+# ----------------------
-+# Append the text in VALUE to the end of the definition contained in VAR. Take
-+# advantage of any shell optimizations that allow amortized linear growth over
-+# repeated appends, instead of the typical quadratic growth present in naive
-+# implementations.
-+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
-+ eval 'as_fn_append ()
-+ {
-+ eval $1+=\$2
-+ }'
- else
-- exitcode=1
-- echo positional parameters were not saved.
--fi
--
--test $exitcode = 0) || { (exit 1); exit 1; }
--
--(
-- as_lineno_1=$LINENO
-- as_lineno_2=$LINENO
-- test "x$as_lineno_1" != "x$as_lineno_2" &&
-- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
--
--_ASEOF
--}; then
-- break
--fi
--
--fi
--
-- done
--
-- if test "x$CONFIG_SHELL" != x; then
-- for as_var in BASH_ENV ENV
-- do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-- done
-- export CONFIG_SHELL
-- exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
--fi
--
--
-- if test $as_have_required = no; then
-- echo This script requires a shell more modern than all the
-- echo shells that I found on your system. Please install a
-- echo modern shell, or manually run the script under such a
-- echo shell if you do have one.
-- { (exit 1); exit 1; }
--fi
--
--
--fi
--
--fi
--
-+ as_fn_append ()
-+ {
-+ eval $1=\$$1\$2
-+ }
-+fi # as_fn_append
-+
-+# as_fn_arith ARG...
-+# ------------------
-+# Perform arithmetic evaluation on the ARGs, and store the result in the
-+# global $as_val. Take advantage of shells that can avoid forks. The arguments
-+# must be portable across $(()) and expr.
-+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
-+ eval 'as_fn_arith ()
-+ {
-+ as_val=$(( $* ))
-+ }'
-+else
-+ as_fn_arith ()
-+ {
-+ as_val=`expr "$@" || test $? -eq 1`
-+ }
-+fi # as_fn_arith
-
-
--(eval "as_func_return () {
-- (exit \$1)
--}
--as_func_success () {
-- as_func_return 0
--}
--as_func_failure () {
-- as_func_return 1
--}
--as_func_ret_success () {
-- return 0
--}
--as_func_ret_failure () {
-- return 1
--}
-+# as_fn_error STATUS ERROR [LINENO LOG_FD]
-+# ----------------------------------------
-+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
-+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-+# script with STATUS, using 1 if that was 0.
-+as_fn_error ()
-+{
-+ as_status=$1; test $as_status -eq 0 && as_status=1
-+ if test "$4"; then
-+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
-+ fi
-+ $as_echo "$as_me: error: $2" >&2
-+ as_fn_exit $as_status
-+} # as_fn_error
-
--exitcode=0
--if as_func_success; then
-- :
-+if expr a : '\(a\)' >/dev/null 2>&1 &&
-+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
-+ as_expr=expr
- else
-- exitcode=1
-- echo as_func_success failed.
--fi
--
--if as_func_failure; then
-- exitcode=1
-- echo as_func_failure succeeded.
-+ as_expr=false
- fi
-
--if as_func_ret_success; then
-- :
-+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-+ as_basename=basename
- else
-- exitcode=1
-- echo as_func_ret_success failed.
--fi
--
--if as_func_ret_failure; then
-- exitcode=1
-- echo as_func_ret_failure succeeded.
-+ as_basename=false
- fi
-
--if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-- :
-+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-+ as_dirname=dirname
- else
-- exitcode=1
-- echo positional parameters were not saved.
-+ as_dirname=false
- fi
-
--test \$exitcode = 0") || {
-- echo No shell found that supports shell functions.
-- echo Please tell autoconf@gnu.org about your system,
-- echo including any error possibly output before this
-- echo message
--}
-+as_me=`$as_basename -- "$0" ||
-+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-+ X"$0" : 'X\(//\)$' \| \
-+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X/"$0" |
-+ sed '/^.*\/\([^/][^/]*\)\/*$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\/\(\/\/\)$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\/\(\/\).*/{
-+ s//\1/
-+ q
-+ }
-+ s/.*/./; q'`
-
-+# Avoid depending upon Character Ranges.
-+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-+as_cr_digits='0123456789'
-+as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-
-- as_lineno_1=$LINENO
-- as_lineno_2=$LINENO
-- test "x$as_lineno_1" != "x$as_lineno_2" &&
-- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
--
-- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-- # uniformly replaced by the line number. The first 'sed' inserts a
-- # line-number line after each line using $LINENO; the second 'sed'
-- # does the real work. The second script uses 'N' to pair each
-- # line-number line with the line containing $LINENO, and appends
-- # trailing '-' during substitution so that $LINENO is not a special
-- # case at line end.
-- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-- # scripts with optimization help from Paolo Bonzini. Blame Lee
-- # E. McMahon (1931-1989) for sed's syntax. :-)
-+ as_lineno_1=$LINENO as_lineno_1a=$LINENO
-+ as_lineno_2=$LINENO as_lineno_2a=$LINENO
-+ eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
-+ test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
-+ # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-)
- sed -n '
- p
- /[$]LINENO/=
-@@ -452,8 +440,7 @@
- s/-\n.*//
- ' >$as_me.lineno &&
- chmod +x "$as_me.lineno" ||
-- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-- { (exit 1); exit 1; }; }
-+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
-
- # Don't try to exec as it changes $[0], causing all sort of problems
- # (the dirname of $[0] is not the place where we might find the
-@@ -463,49 +450,40 @@
- exit
- }
-
--
--if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-- as_dirname=dirname
--else
-- as_dirname=false
--fi
--
- ECHO_C= ECHO_N= ECHO_T=
--case `echo -n x` in
-+case `echo -n x` in #(((((
- -n*)
-- case `echo 'x\c'` in
-+ case `echo 'xy\c'` in
- *c*) ECHO_T=' ';; # ECHO_T is single tab character.
-- *) ECHO_C='\c';;
-+ xy) ECHO_C='\c';;
-+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null
-+ ECHO_T=' ';;
- esac;;
- *)
- ECHO_N='-n';;
- esac
-
--if expr a : '\(a\)' >/dev/null 2>&1 &&
-- test "X`expr 00001 : '.*\(...\)'`" = X001; then
-- as_expr=expr
--else
-- as_expr=false
--fi
--
- rm -f conf$$ conf$$.exe conf$$.file
- if test -d conf$$.dir; then
- rm -f conf$$.dir/conf$$.file
- else
- rm -f conf$$.dir
-- mkdir conf$$.dir
-+ mkdir conf$$.dir 2>/dev/null
- fi
--echo >conf$$.file
--if ln -s conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s='ln -s'
-- # ... but there are two gotchas:
-- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-- # In both cases, we have to default to `cp -p'.
-- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+if (echo >conf$$.file) 2>/dev/null; then
-+ if ln -s conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s='ln -s'
-+ # ... but there are two gotchas:
-+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-+ # In both cases, we have to default to `cp -p'.
-+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+ as_ln_s='cp -p'
-+ elif ln conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s=ln
-+ else
- as_ln_s='cp -p'
--elif ln conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s=ln
-+ fi
- else
- as_ln_s='cp -p'
- fi
-@@ -513,7 +491,7 @@
- rmdir conf$$.dir 2>/dev/null
-
- if mkdir -p . 2>/dev/null; then
-- as_mkdir_p=:
-+ as_mkdir_p='mkdir -p "$as_dir"'
- else
- test -d ./-p && rmdir ./-p
- as_mkdir_p=false
-@@ -530,12 +508,12 @@
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
-- test -d "$1/.";
-+ test -d "$1/.";
- else
-- case $1 in
-- -*)set "./$1";;
-+ case $1 in #(
-+ -*)set "./$1";;
- esac;
-- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
-@@ -549,11 +527,11 @@
- as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
--
--exec 7<&0 </dev/null 6>&1
-+test -n "$DJDIR" || exec 7<&0 </dev/null
-+exec 6>&1
-
- # Name of the host.
--# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
-+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
- # so uname gets run too.
- ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
-
-@@ -568,7 +546,6 @@
- subdirs=
- MFLAGS=
- MAKEFLAGS=
--SHELL=${CONFIG_SHELL-/bin/sh}
-
- # Identity of this package.
- PACKAGE_NAME=
-@@ -576,58 +553,102 @@
- PACKAGE_VERSION=
- PACKAGE_STRING=
- PACKAGE_BUGREPORT=
-+PACKAGE_URL=
-
- ac_unique_file="rlm_eap_tnc.c"
--ac_subst_vars='SHELL
--PATH_SEPARATOR
--PACKAGE_NAME
--PACKAGE_TARNAME
--PACKAGE_VERSION
--PACKAGE_STRING
--PACKAGE_BUGREPORT
--exec_prefix
--prefix
--program_transform_name
--bindir
--sbindir
--libexecdir
--datarootdir
--datadir
--sysconfdir
--sharedstatedir
--localstatedir
--includedir
--oldincludedir
--docdir
--infodir
--htmldir
--dvidir
--pdfdir
--psdir
--libdir
--localedir
--mandir
--DEFS
--ECHO_C
--ECHO_N
--ECHO_T
--LIBS
--build_alias
--host_alias
--target_alias
--CC
--CFLAGS
--LDFLAGS
--CPPFLAGS
--ac_ct_CC
--EXEEXT
--OBJEXT
--eap_tnc_cflags
--eap_tnc_ldflags
--targetname
-+# Factoring default headers for most tests.
-+ac_includes_default="\
-+#include <stdio.h>
-+#ifdef HAVE_SYS_TYPES_H
-+# include <sys/types.h>
-+#endif
-+#ifdef HAVE_SYS_STAT_H
-+# include <sys/stat.h>
-+#endif
-+#ifdef STDC_HEADERS
-+# include <stdlib.h>
-+# include <stddef.h>
-+#else
-+# ifdef HAVE_STDLIB_H
-+# include <stdlib.h>
-+# endif
-+#endif
-+#ifdef HAVE_STRING_H
-+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
-+# include <memory.h>
-+# endif
-+# include <string.h>
-+#endif
-+#ifdef HAVE_STRINGS_H
-+# include <strings.h>
-+#endif
-+#ifdef HAVE_INTTYPES_H
-+# include <inttypes.h>
-+#endif
-+#ifdef HAVE_STDINT_H
-+# include <stdint.h>
-+#endif
-+#ifdef HAVE_UNISTD_H
-+# include <unistd.h>
-+#endif"
-+
-+ac_subst_vars='LTLIBOBJS
- LIBOBJS
--LTLIBOBJS'
-+targetname
-+eap_tnc_ldflags
-+eap_tnc_cflags
-+EGREP
-+GREP
-+CPP
-+OBJEXT
-+EXEEXT
-+ac_ct_CC
-+CPPFLAGS
-+LDFLAGS
-+CFLAGS
-+CC
-+target_alias
-+host_alias
-+build_alias
-+LIBS
-+ECHO_T
-+ECHO_N
-+ECHO_C
-+DEFS
-+mandir
-+localedir
-+libdir
-+psdir
-+pdfdir
-+dvidir
-+htmldir
-+infodir
-+docdir
-+oldincludedir
-+includedir
-+localstatedir
-+sharedstatedir
-+sysconfdir
-+datadir
-+datarootdir
-+libexecdir
-+sbindir
-+bindir
-+program_transform_name
-+prefix
-+exec_prefix
-+PACKAGE_URL
-+PACKAGE_BUGREPORT
-+PACKAGE_STRING
-+PACKAGE_VERSION
-+PACKAGE_TARNAME
-+PACKAGE_NAME
-+PATH_SEPARATOR
-+SHELL'
- ac_subst_files=''
-+ac_user_opts='
-+enable_option_checking
-+'
- ac_precious_vars='build_alias
- host_alias
- target_alias
-@@ -635,12 +656,15 @@
- CFLAGS
- LDFLAGS
- LIBS
--CPPFLAGS'
-+CPPFLAGS
-+CPP'
-
-
- # Initialize some variables set by options.
- ac_init_help=
- ac_init_version=false
-+ac_unrecognized_opts=
-+ac_unrecognized_sep=
- # The variables have the same names as the options, with
- # dashes changed to underlines.
- cache_file=/dev/null
-@@ -696,8 +720,9 @@
- fi
-
- case $ac_option in
-- *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-- *) ac_optarg=yes ;;
-+ *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-+ *=) ac_optarg= ;;
-+ *) ac_optarg=yes ;;
- esac
-
- # Accept the important Cygnus configure options, so we can diagnose typos.
-@@ -739,13 +764,20 @@
- datarootdir=$ac_optarg ;;
-
- -disable-* | --disable-*)
-- ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-- { (exit 1); exit 1; }; }
-- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-- eval enable_$ac_feature=no ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid feature name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"enable_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval enable_$ac_useropt=no ;;
-
- -docdir | --docdir | --docdi | --doc | --do)
- ac_prev=docdir ;;
-@@ -758,13 +790,20 @@
- dvidir=$ac_optarg ;;
-
- -enable-* | --enable-*)
-- ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-- { (exit 1); exit 1; }; }
-- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-- eval enable_$ac_feature=\$ac_optarg ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid feature name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"enable_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval enable_$ac_useropt=\$ac_optarg ;;
-
- -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
- | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-@@ -955,22 +994,36 @@
- ac_init_version=: ;;
-
- -with-* | --with-*)
-- ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid package name: $ac_package" >&2
-- { (exit 1); exit 1; }; }
-- ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-- eval with_$ac_package=\$ac_optarg ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid package name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"with_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval with_$ac_useropt=\$ac_optarg ;;
-
- -without-* | --without-*)
-- ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid package name: $ac_package" >&2
-- { (exit 1); exit 1; }; }
-- ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-- eval with_$ac_package=no ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid package name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"with_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval with_$ac_useropt=no ;;
-
- --x)
- # Obsolete; use --with-x.
-@@ -990,25 +1043,25 @@
- | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
- x_libraries=$ac_optarg ;;
-
-- -*) { echo "$as_me: error: unrecognized option: $ac_option
--Try \`$0 --help' for more information." >&2
-- { (exit 1); exit 1; }; }
-+ -*) as_fn_error $? "unrecognized option: \`$ac_option'
-+Try \`$0 --help' for more information"
- ;;
-
- *=*)
- ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
-- { (exit 1); exit 1; }; }
-+ case $ac_envvar in #(
-+ '' | [0-9]* | *[!_$as_cr_alnum]* )
-+ as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
-+ esac
- eval $ac_envvar=\$ac_optarg
- export $ac_envvar ;;
-
- *)
- # FIXME: should be removed in autoconf 3.0.
-- echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-+ $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
- expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-+ $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
- : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
- ;;
-
-@@ -1017,23 +1070,36 @@
-
- if test -n "$ac_prev"; then
- ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-- { echo "$as_me: error: missing argument to $ac_option" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "missing argument to $ac_option"
-+fi
-+
-+if test -n "$ac_unrecognized_opts"; then
-+ case $enable_option_checking in
-+ no) ;;
-+ fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
-+ *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
-+ esac
- fi
-
--# Be sure to have absolute directory names.
-+# Check all directory arguments for consistency.
- for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
- datadir sysconfdir sharedstatedir localstatedir includedir \
- oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
- do
- eval ac_val=\$$ac_var
-+ # Remove trailing slashes.
-+ case $ac_val in
-+ */ )
-+ ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
-+ eval $ac_var=\$ac_val;;
-+ esac
-+ # Be sure to have absolute directory names.
- case $ac_val in
- [\\/$]* | ?:[\\/]* ) continue;;
- NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
- esac
-- { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
- done
-
- # There might be people who depend on the old broken behavior: `$host'
-@@ -1047,8 +1113,8 @@
- if test "x$host_alias" != x; then
- if test "x$build_alias" = x; then
- cross_compiling=maybe
-- echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-- If a cross compiler is detected then cross compile mode will be used." >&2
-+ $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-+ If a cross compiler is detected then cross compile mode will be used" >&2
- elif test "x$build_alias" != "x$host_alias"; then
- cross_compiling=yes
- fi
-@@ -1063,23 +1129,21 @@
- ac_pwd=`pwd` && test -n "$ac_pwd" &&
- ac_ls_di=`ls -di .` &&
- ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-- { echo "$as_me: error: Working directory cannot be determined" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "working directory cannot be determined"
- test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-- { echo "$as_me: error: pwd does not report name of working directory" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "pwd does not report name of working directory"
-
-
- # Find the source files, if location was not specified.
- if test -z "$srcdir"; then
- ac_srcdir_defaulted=yes
- # Try the directory containing this script, then the parent directory.
-- ac_confdir=`$as_dirname -- "$0" ||
--$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-- X"$0" : 'X\(//\)[^/]' \| \
-- X"$0" : 'X\(//\)$' \| \
-- X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$0" |
-+ ac_confdir=`$as_dirname -- "$as_myself" ||
-+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+ X"$as_myself" : 'X\(//\)[^/]' \| \
-+ X"$as_myself" : 'X\(//\)$' \| \
-+ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_myself" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- s//\1/
- q
-@@ -1106,13 +1170,11 @@
- fi
- if test ! -r "$srcdir/$ac_unique_file"; then
- test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-- { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
- fi
- ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
- ac_abs_confdir=`(
-- cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
-- { (exit 1); exit 1; }; }
-+ cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
- pwd)`
- # When building in place, set srcdir=.
- if test "$ac_abs_confdir" = "$ac_pwd"; then
-@@ -1152,7 +1214,7 @@
- --help=short display options specific to this package
- --help=recursive display the short help of all the included packages
- -V, --version display version information and exit
-- -q, --quiet, --silent do not print \`checking...' messages
-+ -q, --quiet, --silent do not print \`checking ...' messages
- --cache-file=FILE cache test results in FILE [disabled]
- -C, --config-cache alias for \`--cache-file=config.cache'
- -n, --no-create do not create output files
-@@ -1160,9 +1222,9 @@
-
- Installation directories:
- --prefix=PREFIX install architecture-independent files in PREFIX
-- [$ac_default_prefix]
-+ [$ac_default_prefix]
- --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
-- [PREFIX]
-+ [PREFIX]
-
- By default, \`make install' will install all the files in
- \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify
-@@ -1172,25 +1234,25 @@
- For better control, use the options below.
-
- Fine tuning of the installation directories:
-- --bindir=DIR user executables [EPREFIX/bin]
-- --sbindir=DIR system admin executables [EPREFIX/sbin]
-- --libexecdir=DIR program executables [EPREFIX/libexec]
-- --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
-- --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
-- --localstatedir=DIR modifiable single-machine data [PREFIX/var]
-- --libdir=DIR object code libraries [EPREFIX/lib]
-- --includedir=DIR C header files [PREFIX/include]
-- --oldincludedir=DIR C header files for non-gcc [/usr/include]
-- --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
-- --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
-- --infodir=DIR info documentation [DATAROOTDIR/info]
-- --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
-- --mandir=DIR man documentation [DATAROOTDIR/man]
-- --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
-- --htmldir=DIR html documentation [DOCDIR]
-- --dvidir=DIR dvi documentation [DOCDIR]
-- --pdfdir=DIR pdf documentation [DOCDIR]
-- --psdir=DIR ps documentation [DOCDIR]
-+ --bindir=DIR user executables [EPREFIX/bin]
-+ --sbindir=DIR system admin executables [EPREFIX/sbin]
-+ --libexecdir=DIR program executables [EPREFIX/libexec]
-+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
-+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
-+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
-+ --libdir=DIR object code libraries [EPREFIX/lib]
-+ --includedir=DIR C header files [PREFIX/include]
-+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
-+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
-+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
-+ --infodir=DIR info documentation [DATAROOTDIR/info]
-+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
-+ --mandir=DIR man documentation [DATAROOTDIR/man]
-+ --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
-+ --htmldir=DIR html documentation [DOCDIR]
-+ --dvidir=DIR dvi documentation [DOCDIR]
-+ --pdfdir=DIR pdf documentation [DOCDIR]
-+ --psdir=DIR ps documentation [DOCDIR]
- _ACEOF
-
- cat <<\_ACEOF
-@@ -1207,12 +1269,14 @@
- LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
- nonstandard directory <lib dir>
- LIBS libraries to pass to the linker, e.g. -l<library>
-- CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
-+ CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
- you have headers in a nonstandard directory <include dir>
-+ CPP C preprocessor
-
- Use these variables to override the choices made by `configure' or to help
- it to find libraries and programs with nonstandard names/locations.
-
-+Report bugs to the package provider.
- _ACEOF
- ac_status=$?
- fi
-@@ -1220,15 +1284,17 @@
- if test "$ac_init_help" = "recursive"; then
- # If there are subdirs, report their specific --help.
- for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-- test -d "$ac_dir" || continue
-+ test -d "$ac_dir" ||
-+ { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
-+ continue
- ac_builddir=.
-
- case "$ac_dir" in
- .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *)
-- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
- # A ".." for each directory in $ac_dir_suffix.
-- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
- case $ac_top_builddir_sub in
- "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-@@ -1264,7 +1330,7 @@
- echo &&
- $SHELL "$ac_srcdir/configure" --help=recursive
- else
-- echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-+ $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
- fi || ac_status=$?
- cd "$ac_pwd" || { ac_status=$?; break; }
- done
-@@ -1274,21 +1340,305 @@
- if $ac_init_version; then
- cat <<\_ACEOF
- configure
--generated by GNU Autoconf 2.61
-+generated by GNU Autoconf 2.67
-
--Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-+Copyright (C) 2010 Free Software Foundation, Inc.
- This configure script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it.
- _ACEOF
- exit
- fi
-+
-+## ------------------------ ##
-+## Autoconf initialization. ##
-+## ------------------------ ##
-+
-+# ac_fn_c_try_compile LINENO
-+# --------------------------
-+# Try to compile conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_compile ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ rm -f conftest.$ac_objext
-+ if { { ac_try="$ac_compile"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_compile") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest.$ac_objext; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_compile
-+
-+# ac_fn_c_try_link LINENO
-+# -----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_link ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ rm -f conftest.$ac_objext conftest$ac_exeext
-+ if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext && {
-+ test "$cross_compiling" = yes ||
-+ $as_test_x conftest$ac_exeext
-+ }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-+ # interfere with the next link command; also delete a directory that is
-+ # left behind by Apple's compiler. We do this before executing the actions.
-+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_link
-+
-+# ac_fn_c_try_cpp LINENO
-+# ----------------------
-+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_cpp ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ if { { ac_try="$ac_cpp conftest.$ac_ext"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } > conftest.i && {
-+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_cpp
-+
-+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
-+# -------------------------------------------------------
-+# Tests whether HEADER exists, giving a warning if it cannot be compiled using
-+# the include files in INCLUDES and setting the cache variable VAR
-+# accordingly.
-+ac_fn_c_check_header_mongrel ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ if eval "test \"\${$3+set}\"" = set; then :
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+ $as_echo_n "(cached) " >&6
-+fi
-+eval ac_res=\$$3
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+else
-+ # Is the header compilable?
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
-+$as_echo_n "checking $2 usability... " >&6; }
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+$4
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ ac_header_compiler=yes
-+else
-+ ac_header_compiler=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
-+$as_echo "$ac_header_compiler" >&6; }
-+
-+# Is the header present?
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
-+$as_echo_n "checking $2 presence... " >&6; }
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+ ac_header_preproc=yes
-+else
-+ ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
-+$as_echo "$ac_header_preproc" >&6; }
-+
-+# So? What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
-+ yes:no: )
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
-+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
-+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-+ ;;
-+ no:yes:* )
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
-+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5
-+$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
-+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5
-+$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
-+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-+ ;;
-+esac
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ eval "$3=\$ac_header_compiler"
-+fi
-+eval ac_res=\$$3
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+fi
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+
-+} # ac_fn_c_check_header_mongrel
-+
-+# ac_fn_c_try_run LINENO
-+# ----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
-+# that executables *can* be run.
-+ac_fn_c_try_run ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
-+ { { case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_try") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: program exited with status $ac_status" >&5
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=$ac_status
-+fi
-+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_run
-+
-+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
-+# -------------------------------------------------------
-+# Tests whether HEADER exists and can be compiled using the include files in
-+# INCLUDES, setting the cache variable VAR accordingly.
-+ac_fn_c_check_header_compile ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+$4
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ eval "$3=yes"
-+else
-+ eval "$3=no"
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+fi
-+eval ac_res=\$$3
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+
-+} # ac_fn_c_check_header_compile
- cat >config.log <<_ACEOF
- This file contains any messages produced by compilers while
- running configure, to aid debugging if configure makes a mistake.
-
- It was created by $as_me, which was
--generated by GNU Autoconf 2.61. Invocation command line was
-+generated by GNU Autoconf 2.67. Invocation command line was
-
- $ $0 $@
-
-@@ -1324,8 +1674,8 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- echo "PATH: $as_dir"
--done
-+ $as_echo "PATH: $as_dir"
-+ done
- IFS=$as_save_IFS
-
- } >&5
-@@ -1359,12 +1709,12 @@
- | -silent | --silent | --silen | --sile | --sil)
- continue ;;
- *\'*)
-- ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-+ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
- esac
- case $ac_pass in
-- 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
-+ 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
- 2)
-- ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-+ as_fn_append ac_configure_args1 " '$ac_arg'"
- if test $ac_must_keep_next = true; then
- ac_must_keep_next=false # Got value, back to normal.
- else
-@@ -1380,13 +1730,13 @@
- -* ) ac_must_keep_next=true ;;
- esac
- fi
-- ac_configure_args="$ac_configure_args '$ac_arg'"
-+ as_fn_append ac_configure_args " '$ac_arg'"
- ;;
- esac
- done
- done
--$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
--$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
-+{ ac_configure_args0=; unset ac_configure_args0;}
-+{ ac_configure_args1=; unset ac_configure_args1;}
-
- # When interrupted or exit'd, cleanup temporary files, and complete
- # config.log. We remove comments because anyway the quotes in there
-@@ -1398,11 +1748,9 @@
- {
- echo
-
-- cat <<\_ASBOX
--## ---------------- ##
-+ $as_echo "## ---------------- ##
- ## Cache variables. ##
--## ---------------- ##
--_ASBOX
-+## ---------------- ##"
- echo
- # The following way of writing the cache mishandles newlines in values,
- (
-@@ -1411,12 +1759,13 @@
- case $ac_val in #(
- *${as_nl}*)
- case $ac_var in #(
-- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
--echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
-+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
- esac
- case $ac_var in #(
- _ | IFS | as_nl) ;; #(
-- *) $as_unset $ac_var ;;
-+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-+ *) { eval $ac_var=; unset $ac_var;} ;;
- esac ;;
- esac
- done
-@@ -1435,128 +1784,136 @@
- )
- echo
-
-- cat <<\_ASBOX
--## ----------------- ##
-+ $as_echo "## ----------------- ##
- ## Output variables. ##
--## ----------------- ##
--_ASBOX
-+## ----------------- ##"
- echo
- for ac_var in $ac_subst_vars
- do
- eval ac_val=\$$ac_var
- case $ac_val in
-- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
- esac
-- echo "$ac_var='\''$ac_val'\''"
-+ $as_echo "$ac_var='\''$ac_val'\''"
- done | sort
- echo
-
- if test -n "$ac_subst_files"; then
-- cat <<\_ASBOX
--## ------------------- ##
-+ $as_echo "## ------------------- ##
- ## File substitutions. ##
--## ------------------- ##
--_ASBOX
-+## ------------------- ##"
- echo
- for ac_var in $ac_subst_files
- do
- eval ac_val=\$$ac_var
- case $ac_val in
-- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
- esac
-- echo "$ac_var='\''$ac_val'\''"
-+ $as_echo "$ac_var='\''$ac_val'\''"
- done | sort
- echo
- fi
-
- if test -s confdefs.h; then
-- cat <<\_ASBOX
--## ----------- ##
-+ $as_echo "## ----------- ##
- ## confdefs.h. ##
--## ----------- ##
--_ASBOX
-+## ----------- ##"
- echo
- cat confdefs.h
- echo
- fi
- test "$ac_signal" != 0 &&
-- echo "$as_me: caught signal $ac_signal"
-- echo "$as_me: exit $exit_status"
-+ $as_echo "$as_me: caught signal $ac_signal"
-+ $as_echo "$as_me: exit $exit_status"
- } >&5
- rm -f core *.core core.conftest.* &&
- rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
- exit $exit_status
- ' 0
- for ac_signal in 1 2 13 15; do
-- trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
-+ trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
- done
- ac_signal=0
-
- # confdefs.h avoids OS command line length limits that DEFS can exceed.
- rm -f -r conftest* confdefs.h
-
-+$as_echo "/* confdefs.h */" > confdefs.h
-+
- # Predefined preprocessor variables.
-
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_NAME "$PACKAGE_NAME"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_VERSION "$PACKAGE_VERSION"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_STRING "$PACKAGE_STRING"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
- _ACEOF
-
-+cat >>confdefs.h <<_ACEOF
-+#define PACKAGE_URL "$PACKAGE_URL"
-+_ACEOF
-+
-
- # Let the site file select an alternate cache file if it wants to.
--# Prefer explicitly selected file to automatically selected ones.
-+# Prefer an explicitly selected file to automatically selected ones.
-+ac_site_file1=NONE
-+ac_site_file2=NONE
- if test -n "$CONFIG_SITE"; then
-- set x "$CONFIG_SITE"
-+ # We do not want a PATH search for config.site.
-+ case $CONFIG_SITE in #((
-+ -*) ac_site_file1=./$CONFIG_SITE;;
-+ */*) ac_site_file1=$CONFIG_SITE;;
-+ *) ac_site_file1=./$CONFIG_SITE;;
-+ esac
- elif test "x$prefix" != xNONE; then
-- set x "$prefix/share/config.site" "$prefix/etc/config.site"
-+ ac_site_file1=$prefix/share/config.site
-+ ac_site_file2=$prefix/etc/config.site
- else
-- set x "$ac_default_prefix/share/config.site" \
-- "$ac_default_prefix/etc/config.site"
-+ ac_site_file1=$ac_default_prefix/share/config.site
-+ ac_site_file2=$ac_default_prefix/etc/config.site
- fi
--shift
--for ac_site_file
-+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
- do
-- if test -r "$ac_site_file"; then
-- { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
--echo "$as_me: loading site script $ac_site_file" >&6;}
-+ test "x$ac_site_file" = xNONE && continue
-+ if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
-+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
- sed 's/^/| /' "$ac_site_file" >&5
-- . "$ac_site_file"
-+ . "$ac_site_file" \
-+ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "failed to load site script $ac_site_file
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
- done
-
- if test -r "$cache_file"; then
-- # Some versions of bash will fail to source /dev/null (special
-- # files actually), so we avoid doing that.
-- if test -f "$cache_file"; then
-- { echo "$as_me:$LINENO: loading cache $cache_file" >&5
--echo "$as_me: loading cache $cache_file" >&6;}
-+ # Some versions of bash will fail to source /dev/null (special files
-+ # actually), so we avoid doing that. DJGPP emulates it as a regular file.
-+ if test /dev/null != "$cache_file" && test -f "$cache_file"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
-+$as_echo "$as_me: loading cache $cache_file" >&6;}
- case $cache_file in
- [\\/]* | ?:[\\/]* ) . "$cache_file";;
- *) . "./$cache_file";;
- esac
- fi
- else
-- { echo "$as_me:$LINENO: creating cache $cache_file" >&5
--echo "$as_me: creating cache $cache_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
-+$as_echo "$as_me: creating cache $cache_file" >&6;}
- >$cache_file
- fi
-
-@@ -1570,60 +1927,56 @@
- eval ac_new_val=\$ac_env_${ac_var}_value
- case $ac_old_set,$ac_new_set in
- set,)
-- { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
--echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
- ac_cache_corrupted=: ;;
- ,set)
-- { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
--echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
-+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
- ac_cache_corrupted=: ;;
- ,);;
- *)
- if test "x$ac_old_val" != "x$ac_new_val"; then
-- { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
--echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-- { echo "$as_me:$LINENO: former value: $ac_old_val" >&5
--echo "$as_me: former value: $ac_old_val" >&2;}
-- { echo "$as_me:$LINENO: current value: $ac_new_val" >&5
--echo "$as_me: current value: $ac_new_val" >&2;}
-- ac_cache_corrupted=:
-+ # differences in whitespace do not lead to failure.
-+ ac_old_val_w=`echo x $ac_old_val`
-+ ac_new_val_w=`echo x $ac_new_val`
-+ if test "$ac_old_val_w" != "$ac_new_val_w"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
-+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-+ ac_cache_corrupted=:
-+ else
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
-+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
-+ eval $ac_var=\$ac_old_val
-+ fi
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5
-+$as_echo "$as_me: former value: \`$ac_old_val'" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5
-+$as_echo "$as_me: current value: \`$ac_new_val'" >&2;}
- fi;;
- esac
- # Pass precious variables to config.status.
- if test "$ac_new_set" = set; then
- case $ac_new_val in
-- *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-+ *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
- *) ac_arg=$ac_var=$ac_new_val ;;
- esac
- case " $ac_configure_args " in
- *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy.
-- *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-+ *) as_fn_append ac_configure_args " '$ac_arg'" ;;
- esac
- fi
- done
- if $ac_cache_corrupted; then
-- { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
--echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-- { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
--echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
-- { (exit 1); exit 1; }; }
--fi
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
-+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-+ as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
-+fi
-+## -------------------- ##
-+## Main body of script. ##
-+## -------------------- ##
-
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
-@@ -1635,6 +1988,9 @@
-
-
-
-+eap_tnc_cflags=
-+eap_tnc_ldflags=-lnaaeap
-+
- if test x$with_rlm_eap_tnc != xno; then
-
- ac_ext=c
-@@ -1645,10 +2001,10 @@
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
- set dummy ${ac_tool_prefix}gcc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1658,25 +2014,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_CC="${ac_tool_prefix}gcc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1685,10 +2041,10 @@
- ac_ct_CC=$CC
- # Extract the first word of "gcc", so it can be a program name with args.
- set dummy gcc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$ac_ct_CC"; then
- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-@@ -1698,25 +2054,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_ac_ct_CC="gcc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- ac_ct_CC=$ac_cv_prog_ac_ct_CC
- if test -n "$ac_ct_CC"; then
-- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
--echo "${ECHO_T}$ac_ct_CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-+$as_echo "$ac_ct_CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
- if test "x$ac_ct_CC" = x; then
-@@ -1724,12 +2080,8 @@
- else
- case $cross_compiling:$ac_tool_warned in
- yes:)
--{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&5
--echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
- ac_tool_warned=yes ;;
- esac
- CC=$ac_ct_CC
-@@ -1742,10 +2094,10 @@
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
- set dummy ${ac_tool_prefix}cc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1755,25 +2107,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_CC="${ac_tool_prefix}cc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1782,10 +2134,10 @@
- if test -z "$CC"; then
- # Extract the first word of "cc", so it can be a program name with args.
- set dummy cc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1796,18 +2148,18 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
- ac_prog_rejected=yes
- continue
- fi
- ac_cv_prog_CC="cc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- if test $ac_prog_rejected = yes; then
-@@ -1826,11 +2178,11 @@
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1841,10 +2193,10 @@
- do
- # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
- set dummy $ac_tool_prefix$ac_prog; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1854,25 +2206,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1885,10 +2237,10 @@
- do
- # Extract the first word of "$ac_prog", so it can be a program name with args.
- set dummy $ac_prog; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$ac_ct_CC"; then
- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-@@ -1898,25 +2250,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_ac_ct_CC="$ac_prog"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- ac_ct_CC=$ac_cv_prog_ac_ct_CC
- if test -n "$ac_ct_CC"; then
-- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
--echo "${ECHO_T}$ac_ct_CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-+$as_echo "$ac_ct_CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1928,12 +2280,8 @@
- else
- case $cross_compiling:$ac_tool_warned in
- yes:)
--{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&5
--echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
- ac_tool_warned=yes ;;
- esac
- CC=$ac_ct_CC
-@@ -1943,51 +2291,37 @@
- fi
-
-
--test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
--See \`config.log' for more details." >&5
--echo "$as_me: error: no acceptable C compiler found in \$PATH
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
-+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "no acceptable C compiler found in \$PATH
-+See \`config.log' for more details" "$LINENO" 5 ; }
-
- # Provide some information about the compiler.
--echo "$as_me:$LINENO: checking for C compiler version" >&5
--ac_compiler=`set X $ac_compile; echo $2`
--{ (ac_try="$ac_compiler --version >&5"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compiler --version >&5") 2>&5
-- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }
--{ (ac_try="$ac_compiler -v >&5"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compiler -v >&5") 2>&5
-- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }
--{ (ac_try="$ac_compiler -V >&5"
-+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
-+set X $ac_compile
-+ac_compiler=$2
-+for ac_option in --version -v -V -qversion; do
-+ { { ac_try="$ac_compiler $ac_option >&5"
- case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compiler -V >&5") 2>&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_compiler $ac_option >&5") 2>conftest.err
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }
-+ if test -s conftest.err; then
-+ sed '10a\
-+... rest of stderr output deleted ...
-+ 10q' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ fi
-+ rm -f conftest.er1 conftest.err
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }
-+done
-
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -1999,42 +2333,38 @@
- }
- _ACEOF
- ac_clean_files_save=$ac_clean_files
--ac_clean_files="$ac_clean_files a.out a.exe b.out"
-+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
- # Try to create an executable without -o first, disregard a.out.
- # It will help us diagnose broken compilers, and finding out an intuition
- # of exeext.
--{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
--echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
--ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
--#
--# List of possible output files, starting from the most likely.
--# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
--# only as a last resort. b.out is created by i960 compilers.
--ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
--#
--# The IRIX 6 linker writes into existing files which may not be
--# executable, retaining their permissions. Remove them first so a
--# subsequent execution test works.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
-+$as_echo_n "checking whether the C compiler works... " >&6; }
-+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-+
-+# The possible output files:
-+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
-+
- ac_rmfiles=
- for ac_file in $ac_files
- do
- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
- * ) ac_rmfiles="$ac_rmfiles $ac_file";;
- esac
- done
- rm -f $ac_rmfiles
-
--if { (ac_try="$ac_link_default"
-+if { { ac_try="$ac_link_default"
- case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_link_default") 2>&5
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; then
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then :
- # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
- # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
- # in a Makefile. We should not override ac_cv_exeext if it was cached,
-@@ -2044,14 +2374,14 @@
- do
- test -f "$ac_file" || continue
- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
- ;;
- [ab].out )
- # We found the default executable, but exeext='' is most
- # certainly right.
- break;;
- *.* )
-- if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
-+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
- then :; else
- ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
- fi
-@@ -2070,116 +2400,132 @@
- else
- ac_file=''
- fi
--
--{ echo "$as_me:$LINENO: result: $ac_file" >&5
--echo "${ECHO_T}$ac_file" >&6; }
--if test -z "$ac_file"; then
-- echo "$as_me: failed program was:" >&5
-+if test -z "$ac_file"; then :
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+$as_echo "$as_me: failed program was:" >&5
- sed 's/^/| /' conftest.$ac_ext >&5
-
--{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
--See \`config.log' for more details." >&5
--echo "$as_me: error: C compiler cannot create executables
--See \`config.log' for more details." >&2;}
-- { (exit 77); exit 77; }; }
--fi
--
-+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error 77 "C compiler cannot create executables
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+else
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
-+$as_echo_n "checking for C compiler default output file name... " >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
-+$as_echo "$ac_file" >&6; }
- ac_exeext=$ac_cv_exeext
-
-+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
-+ac_clean_files=$ac_clean_files_save
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
-+$as_echo_n "checking for suffix of executables... " >&6; }
-+if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then :
-+ # If both `conftest.exe' and `conftest' are `present' (well, observable)
-+# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will
-+# work properly (i.e., refer to `conftest.exe'), while it won't with
-+# `rm'.
-+for ac_file in conftest.exe conftest conftest.*; do
-+ test -f "$ac_file" || continue
-+ case $ac_file in
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
-+ *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-+ break;;
-+ * ) break;;
-+ esac
-+done
-+else
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+fi
-+rm -f conftest conftest$ac_cv_exeext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
-+$as_echo "$ac_cv_exeext" >&6; }
-+
-+rm -f conftest.$ac_ext
-+EXEEXT=$ac_cv_exeext
-+ac_exeext=$EXEEXT
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <stdio.h>
-+int
-+main ()
-+{
-+FILE *f = fopen ("conftest.out", "w");
-+ return ferror (f) || fclose (f) != 0;
-+
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+ac_clean_files="$ac_clean_files conftest.out"
- # Check that the compiler produces executables we can run. If not, either
- # the compiler is broken, or we cross compile.
--{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
--echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
--# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
--# If not cross compiling, check that we can run a simple program.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
-+$as_echo_n "checking whether we are cross compiling... " >&6; }
- if test "$cross_compiling" != yes; then
-- if { ac_try='./$ac_file'
-- { (case "(($ac_try" in
-+ { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }
-+ if { ac_try='./conftest$ac_cv_exeext'
-+ { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; }; then
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; }; then
- cross_compiling=no
- else
- if test "$cross_compiling" = maybe; then
- cross_compiling=yes
- else
-- { { echo "$as_me:$LINENO: error: cannot run C compiled programs.
--If you meant to cross compile, use \`--host'.
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot run C compiled programs.
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot run C compiled programs.
- If you meant to cross compile, use \`--host'.
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
- fi
- fi
--{ echo "$as_me:$LINENO: result: yes" >&5
--echo "${ECHO_T}yes" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
-+$as_echo "$cross_compiling" >&6; }
-
--rm -f a.out a.exe conftest$ac_cv_exeext b.out
-+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
- ac_clean_files=$ac_clean_files_save
--# Check that the compiler produces executables we can run. If not, either
--# the compiler is broken, or we cross compile.
--{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
--echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
--{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
--echo "${ECHO_T}$cross_compiling" >&6; }
--
--{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
--echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
--if { (ac_try="$ac_link"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_link") 2>&5
-- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; then
-- # If both `conftest.exe' and `conftest' are `present' (well, observable)
--# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will
--# work properly (i.e., refer to `conftest.exe'), while it won't with
--# `rm'.
--for ac_file in conftest.exe conftest conftest.*; do
-- test -f "$ac_file" || continue
-- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-- *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-- break;;
-- * ) break;;
-- esac
--done
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
-+$as_echo_n "checking for suffix of object files... " >&6; }
-+if test "${ac_cv_objext+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
-- { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
--fi
--
--rm -f conftest$ac_cv_exeext
--{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
--echo "${ECHO_T}$ac_cv_exeext" >&6; }
--
--rm -f conftest.$ac_ext
--EXEEXT=$ac_cv_exeext
--ac_exeext=$EXEEXT
--{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
--echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
--if test "${ac_cv_objext+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
--else
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2191,51 +2537,46 @@
- }
- _ACEOF
- rm -f conftest.o conftest.obj
--if { (ac_try="$ac_compile"
-+if { { ac_try="$ac_compile"
- case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_compile") 2>&5
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; then
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then :
- for ac_file in conftest.o conftest.obj conftest.*; do
- test -f "$ac_file" || continue;
- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
- *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
- break;;
- esac
- done
- else
-- echo "$as_me: failed program was:" >&5
-+ $as_echo "$as_me: failed program was:" >&5
- sed 's/^/| /' conftest.$ac_ext >&5
-
--{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot compute suffix of object files: cannot compile
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
-+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot compute suffix of object files: cannot compile
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
--
- rm -f conftest.$ac_cv_objext conftest.$ac_ext
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
--echo "${ECHO_T}$ac_cv_objext" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
-+$as_echo "$ac_cv_objext" >&6; }
- OBJEXT=$ac_cv_objext
- ac_objext=$OBJEXT
--{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
--echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
--if test "${ac_cv_c_compiler_gnu+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
-+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-+if test "${ac_cv_c_compiler_gnu+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2249,54 +2590,34 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
- ac_compiler_gnu=yes
- else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
-- ac_compiler_gnu=no
-+ ac_compiler_gnu=no
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- ac_cv_c_compiler_gnu=$ac_compiler_gnu
-
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
--echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
--GCC=`test $ac_compiler_gnu = yes && echo yes`
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
-+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
-+if test $ac_compiler_gnu = yes; then
-+ GCC=yes
-+else
-+ GCC=
-+fi
- ac_test_CFLAGS=${CFLAGS+set}
- ac_save_CFLAGS=$CFLAGS
--{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
--echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
--if test "${ac_cv_prog_cc_g+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
-+$as_echo_n "checking whether $CC accepts -g... " >&6; }
-+if test "${ac_cv_prog_cc_g+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- ac_save_c_werror_flag=$ac_c_werror_flag
- ac_c_werror_flag=yes
- ac_cv_prog_cc_g=no
- CFLAGS="-g"
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2307,34 +2628,11 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_prog_cc_g=yes
- else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
-- CFLAGS=""
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ CFLAGS=""
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2345,35 +2643,12 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-- :
--else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
-+if ac_fn_c_try_compile "$LINENO"; then :
-
-- ac_c_werror_flag=$ac_save_c_werror_flag
-+else
-+ ac_c_werror_flag=$ac_save_c_werror_flag
- CFLAGS="-g"
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2384,42 +2659,18 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_prog_cc_g=yes
--else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- ac_c_werror_flag=$ac_save_c_werror_flag
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
--echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
-+$as_echo "$ac_cv_prog_cc_g" >&6; }
- if test "$ac_test_CFLAGS" = set; then
- CFLAGS=$ac_save_CFLAGS
- elif test $ac_cv_prog_cc_g = yes; then
-@@ -2435,18 +2686,14 @@
- CFLAGS=
- fi
- fi
--{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
--echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
--if test "${ac_cv_prog_cc_c89+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
-+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-+if test "${ac_cv_prog_cc_c89+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- ac_cv_prog_cc_c89=no
- ac_save_CC=$CC
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
- #include <stdarg.h>
- #include <stdio.h>
-@@ -2503,31 +2750,9 @@
- -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
- do
- CC="$ac_save_CC $ac_arg"
-- rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+ if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_prog_cc_c89=$ac_arg
--else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--
- fi
--
- rm -f core conftest.err conftest.$ac_objext
- test "x$ac_cv_prog_cc_c89" != "xno" && break
- done
-@@ -2538,17 +2763,19 @@
- # AC_CACHE_VAL
- case "x$ac_cv_prog_cc_c89" in
- x)
-- { echo "$as_me:$LINENO: result: none needed" >&5
--echo "${ECHO_T}none needed" >&6; } ;;
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
-+$as_echo "none needed" >&6; } ;;
- xno)
-- { echo "$as_me:$LINENO: result: unsupported" >&5
--echo "${ECHO_T}unsupported" >&6; } ;;
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
-+$as_echo "unsupported" >&6; } ;;
- *)
- CC="$CC $ac_cv_prog_cc_c89"
-- { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
--echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
-+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
- esac
-+if test "x$ac_cv_prog_cc_c89" != xno; then :
-
-+fi
-
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
-@@ -2557,81 +2784,474 @@
- ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
--
--{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5
--echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; }
--if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5
-+$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; }
-+if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lTNCS $LIBS"
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
-+LIBS="-lnaaeap $LIBS"
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+ Use char because int might match the return type of a GCC
-+ builtin and then its argument prototype would still apply. */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char processEAPTNCData ();
-+int
-+main ()
-+{
-+return processEAPTNCData ();
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_link "$LINENO"; then :
-+ ac_cv_lib_naaeap_processEAPTNCData=yes
-+else
-+ ac_cv_lib_naaeap_processEAPTNCData=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext \
-+ conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5
-+$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; }
-+if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then :
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBNAAEAP 1
-+_ACEOF
-+
-+ LIBS="-lnaaeap $LIBS"
-+
-+else
-+ fail="$fail -lnaaeap"
-+fi
-+
-+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5
-+$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;}
-+ fail="$fail -lNAAEAP"
-+ fi
-+
-+ ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
-+$as_echo_n "checking how to run the C preprocessor... " >&6; }
-+# On Suns, sometimes $CPP names a directory.
-+if test -n "$CPP" && test -d "$CPP"; then
-+ CPP=
-+fi
-+if test -z "$CPP"; then
-+ if test "${ac_cv_prog_CPP+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ # Double quotes because CPP needs to be expanded
-+ for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-+ do
-+ ac_preproc_ok=false
-+for ac_c_preproc_warn_flag in '' yes
-+do
-+ # Use a header file that comes with gcc, so configuring glibc
-+ # with a fresh cross-compiler works.
-+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+ # <limits.h> exists even on freestanding compilers.
-+ # On the NeXT, cc -E runs the code through the compiler's parser,
-+ # not just through cpp. "Syntax error" is here to catch this case.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+ Syntax error
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+
-+else
-+ # Broken: fails on valid input.
-+continue
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+ # OK, works on sane cases. Now check whether nonexistent headers
-+ # can be detected and how.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <ac_nonexistent.h>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+ # Broken: success on invalid input.
-+continue
-+else
-+ # Passes both tests.
-+ac_preproc_ok=:
-+break
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+done
-+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-+rm -f conftest.i conftest.err conftest.$ac_ext
-+if $ac_preproc_ok; then :
-+ break
-+fi
-+
-+ done
-+ ac_cv_prog_CPP=$CPP
-+
-+fi
-+ CPP=$ac_cv_prog_CPP
-+else
-+ ac_cv_prog_CPP=$CPP
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
-+$as_echo "$CPP" >&6; }
-+ac_preproc_ok=false
-+for ac_c_preproc_warn_flag in '' yes
-+do
-+ # Use a header file that comes with gcc, so configuring glibc
-+ # with a fresh cross-compiler works.
-+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+ # <limits.h> exists even on freestanding compilers.
-+ # On the NeXT, cc -E runs the code through the compiler's parser,
-+ # not just through cpp. "Syntax error" is here to catch this case.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+ Syntax error
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+
-+else
-+ # Broken: fails on valid input.
-+continue
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+ # OK, works on sane cases. Now check whether nonexistent headers
-+ # can be detected and how.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <ac_nonexistent.h>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+ # Broken: success on invalid input.
-+continue
-+else
-+ # Passes both tests.
-+ac_preproc_ok=:
-+break
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+done
-+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-+rm -f conftest.i conftest.err conftest.$ac_ext
-+if $ac_preproc_ok; then :
-+
-+else
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+fi
-+
-+ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
-+$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-+if test "${ac_cv_path_GREP+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ if test -z "$GREP"; then
-+ ac_path_GREP_found=false
-+ # Loop through the user's path and test for each of PROGNAME-LIST
-+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-+do
-+ IFS=$as_save_IFS
-+ test -z "$as_dir" && as_dir=.
-+ for ac_prog in grep ggrep; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
-+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-+ { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-+# Check for GNU ac_path_GREP and select it if it is found.
-+ # Check for GNU $ac_path_GREP
-+case `"$ac_path_GREP" --version 2>&1` in
-+*GNU*)
-+ ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
-+*)
-+ ac_count=0
-+ $as_echo_n 0123456789 >"conftest.in"
-+ while :
-+ do
-+ cat "conftest.in" "conftest.in" >"conftest.tmp"
-+ mv "conftest.tmp" "conftest.in"
-+ cp "conftest.in" "conftest.nl"
-+ $as_echo 'GREP' >> "conftest.nl"
-+ "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-+ as_fn_arith $ac_count + 1 && ac_count=$as_val
-+ if test $ac_count -gt ${ac_path_GREP_max-0}; then
-+ # Best one so far, save it but keep looking for a better one
-+ ac_cv_path_GREP="$ac_path_GREP"
-+ ac_path_GREP_max=$ac_count
-+ fi
-+ # 10*(2^10) chars as input seems more than enough
-+ test $ac_count -gt 10 && break
-+ done
-+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-+esac
-+
-+ $ac_path_GREP_found && break 3
-+ done
-+ done
-+ done
-+IFS=$as_save_IFS
-+ if test -z "$ac_cv_path_GREP"; then
-+ as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
-+ fi
-+else
-+ ac_cv_path_GREP=$GREP
-+fi
-+
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
-+$as_echo "$ac_cv_path_GREP" >&6; }
-+ GREP="$ac_cv_path_GREP"
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
-+$as_echo_n "checking for egrep... " >&6; }
-+if test "${ac_cv_path_EGREP+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
-+ then ac_cv_path_EGREP="$GREP -E"
-+ else
-+ if test -z "$EGREP"; then
-+ ac_path_EGREP_found=false
-+ # Loop through the user's path and test for each of PROGNAME-LIST
-+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-+do
-+ IFS=$as_save_IFS
-+ test -z "$as_dir" && as_dir=.
-+ for ac_prog in egrep; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
-+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-+ { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-+# Check for GNU ac_path_EGREP and select it if it is found.
-+ # Check for GNU $ac_path_EGREP
-+case `"$ac_path_EGREP" --version 2>&1` in
-+*GNU*)
-+ ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
-+*)
-+ ac_count=0
-+ $as_echo_n 0123456789 >"conftest.in"
-+ while :
-+ do
-+ cat "conftest.in" "conftest.in" >"conftest.tmp"
-+ mv "conftest.tmp" "conftest.in"
-+ cp "conftest.in" "conftest.nl"
-+ $as_echo 'EGREP' >> "conftest.nl"
-+ "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-+ as_fn_arith $ac_count + 1 && ac_count=$as_val
-+ if test $ac_count -gt ${ac_path_EGREP_max-0}; then
-+ # Best one so far, save it but keep looking for a better one
-+ ac_cv_path_EGREP="$ac_path_EGREP"
-+ ac_path_EGREP_max=$ac_count
-+ fi
-+ # 10*(2^10) chars as input seems more than enough
-+ test $ac_count -gt 10 && break
-+ done
-+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-+esac
-+
-+ $ac_path_EGREP_found && break 3
-+ done
-+ done
-+ done
-+IFS=$as_save_IFS
-+ if test -z "$ac_cv_path_EGREP"; then
-+ as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
-+ fi
-+else
-+ ac_cv_path_EGREP=$EGREP
-+fi
-+
-+ fi
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
-+$as_echo "$ac_cv_path_EGREP" >&6; }
-+ EGREP="$ac_cv_path_EGREP"
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
-+$as_echo_n "checking for ANSI C header files... " >&6; }
-+if test "${ac_cv_header_stdc+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <stdlib.h>
-+#include <stdarg.h>
-+#include <string.h>
-+#include <float.h>
-+
-+int
-+main ()
-+{
-+
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ ac_cv_header_stdc=yes
-+else
-+ ac_cv_header_stdc=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+
-+if test $ac_cv_header_stdc = yes; then
-+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <string.h>
-+
- _ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-+ $EGREP "memchr" >/dev/null 2>&1; then :
-+
-+else
-+ ac_cv_header_stdc=no
-+fi
-+rm -f conftest*
-+
-+fi
-+
-+if test $ac_cv_header_stdc = yes; then
-+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <stdlib.h>
-+
-+_ACEOF
-+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-+ $EGREP "free" >/dev/null 2>&1; then :
-+
-+else
-+ ac_cv_header_stdc=no
-+fi
-+rm -f conftest*
-+
-+fi
-+
-+if test $ac_cv_header_stdc = yes; then
-+ # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-+ if test "$cross_compiling" = yes; then :
-+ :
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
--
--/* Override any GCC internal prototype to avoid an error.
-- Use char because int might match the return type of a GCC
-- builtin and then its argument prototype would still apply. */
--#ifdef __cplusplus
--extern "C"
-+#include <ctype.h>
-+#include <stdlib.h>
-+#if ((' ' & 0x0FF) == 0x020)
-+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-+#else
-+# define ISLOWER(c) \
-+ (('a' <= (c) && (c) <= 'i') \
-+ || ('j' <= (c) && (c) <= 'r') \
-+ || ('s' <= (c) && (c) <= 'z'))
-+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
- #endif
--char exchangeTNCCSMessages ();
-+
-+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
- int
- main ()
- {
--return exchangeTNCCSMessages ();
-- ;
-+ int i;
-+ for (i = 0; i < 256; i++)
-+ if (XOR (islower (i), ISLOWER (i))
-+ || toupper (i) != TOUPPER (i))
-+ return 2;
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext conftest$ac_exeext
--if { (ac_try="$ac_link"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_link") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest$ac_exeext &&
-- $as_test_x conftest$ac_exeext; then
-- ac_cv_lib_TNCS_exchangeTNCCSMessages=yes
-+if ac_fn_c_try_run "$LINENO"; then :
-+
- else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
-+ ac_cv_header_stdc=no
-+fi
-+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-+ conftest.$ac_objext conftest.beam conftest.$ac_ext
-+fi
-
-- ac_cv_lib_TNCS_exchangeTNCCSMessages=no
- fi
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
-+$as_echo "$ac_cv_header_stdc" >&6; }
-+if test $ac_cv_header_stdc = yes; then
-+
-+$as_echo "#define STDC_HEADERS 1" >>confdefs.h
-
--rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-- conftest$ac_exeext conftest.$ac_ext
--LIBS=$ac_check_lib_save_LIBS
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5
--echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; }
--if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then
-+
-+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-+ inttypes.h stdint.h unistd.h
-+do :
-+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
-+"
-+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
--#define HAVE_LIBTNCS 1
-+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
- _ACEOF
-
-- LIBS="-lTNCS $LIBS"
-+fi
-+
-+done
-+
-+
-+for ac_header in naaeap/naaeap.h
-+do :
-+ ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default"
-+if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then :
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_NAAEAP_NAAEAP_H 1
-+_ACEOF
-
-+else
-+ fail="$fail -Inaaeap.h"
- fi
-
-- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
-- { echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5
--echo "$as_me: WARNING: the TNCS library isn't found!" >&2;}
-- fail="$fail -lTNCS"
-+done
-+
-+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5
-+$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;}
-+ fail="$fail -Inaaeap.h"
- fi
-
- targetname=rlm_eap_tnc
-@@ -2642,14 +3262,12 @@
-
- if test x"$fail" != x""; then
- if test x"${enable_strict_dependencies}" = x"yes"; then
-- { { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5
--echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;}
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5
- else
-- { echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5
--echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
-- { echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
--echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5
-+$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
-+$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
- targetname=""
- fi
- fi
-@@ -2658,11 +3276,7 @@
-
-
-
--
-- unset ac_cv_env_LIBS_set
-- unset ac_cv_env_LIBS_value
--
-- ac_config_files="$ac_config_files Makefile"
-+ac_config_files="$ac_config_files Makefile"
-
- cat >confcache <<\_ACEOF
- # This file is a shell script that caches the results of configure
-@@ -2691,12 +3305,13 @@
- case $ac_val in #(
- *${as_nl}*)
- case $ac_var in #(
-- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
--echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
-+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
- esac
- case $ac_var in #(
- _ | IFS | as_nl) ;; #(
-- *) $as_unset $ac_var ;;
-+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-+ *) { eval $ac_var=; unset $ac_var;} ;;
- esac ;;
- esac
- done
-@@ -2704,8 +3319,8 @@
- (set) 2>&1 |
- case $as_nl`(ac_space=' '; set) 2>&1` in #(
- *${as_nl}ac_space=\ *)
-- # `set' does not quote correctly, so add quotes (double-quote
-- # substitution turns \\\\ into \\, and sed turns \\ into \).
-+ # `set' does not quote correctly, so add quotes: double-quote
-+ # substitution turns \\\\ into \\, and sed turns \\ into \.
- sed -n \
- "s/'/'\\\\''/g;
- s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-@@ -2728,12 +3343,12 @@
- if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
- if test -w "$cache_file"; then
- test "x$cache_file" != "x/dev/null" &&
-- { echo "$as_me:$LINENO: updating cache $cache_file" >&5
--echo "$as_me: updating cache $cache_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
-+$as_echo "$as_me: updating cache $cache_file" >&6;}
- cat confcache >$cache_file
- else
-- { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
--echo "$as_me: not updating unwritable cache $cache_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
-+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
- fi
- fi
- rm -f confcache
-@@ -2750,6 +3365,12 @@
- # take arguments), then branch to the quote section. Otherwise,
- # look for a macro that doesn't take arguments.
- ac_script='
-+:mline
-+/\\$/{
-+ N
-+ s,\\\n,,
-+ b mline
-+}
- t clear
- :clear
- s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g
-@@ -2776,14 +3397,15 @@
-
- ac_libobjs=
- ac_ltlibobjs=
-+U=
- for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
- # 1. Remove the extension, and $U if already installed.
- ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
-- ac_i=`echo "$ac_i" | sed "$ac_script"`
-+ ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
- # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR
- # will be set to the directory where LIBOBJS objects are built.
-- ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-- ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
-+ as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-+ as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
- done
- LIBOBJS=$ac_libobjs
-
-@@ -2792,11 +3414,13 @@
-
-
- : ${CONFIG_STATUS=./config.status}
-+ac_write_fail=0
- ac_clean_files_save=$ac_clean_files
- ac_clean_files="$ac_clean_files $CONFIG_STATUS"
--{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
--echo "$as_me: creating $CONFIG_STATUS" >&6;}
--cat >$CONFIG_STATUS <<_ACEOF
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
-+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
-+as_write_fail=0
-+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
- #! $SHELL
- # Generated by $as_me.
- # Run this file to recreate the current configuration.
-@@ -2806,59 +3430,79 @@
- debug=false
- ac_cs_recheck=false
- ac_cs_silent=false
--SHELL=\${CONFIG_SHELL-$SHELL}
--_ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
--## --------------------- ##
--## M4sh Initialization. ##
--## --------------------- ##
-+SHELL=\${CONFIG_SHELL-$SHELL}
-+export SHELL
-+_ASEOF
-+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
-
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
- emulate sh
- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
- # is contrary to our usage. Disable this feature.
- alias -g '${1+"$@"}'='"$@"'
- setopt NO_GLOB_SUBST
- else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
-+ case `(set -o) 2>/dev/null` in #(
-+ *posix*) :
-+ set -o posix ;; #(
-+ *) :
-+ ;;
- esac
--
- fi
-
-
--
--
--# PATH needs CR
--# Avoid depending upon Character Ranges.
--as_cr_letters='abcdefghijklmnopqrstuvwxyz'
--as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
--as_cr_Letters=$as_cr_letters$as_cr_LETTERS
--as_cr_digits='0123456789'
--as_cr_alnum=$as_cr_Letters$as_cr_digits
--
--# The user is always right.
--if test "${PATH_SEPARATOR+set}" != set; then
-- echo "#! /bin/sh" >conf$$.sh
-- echo "exit 0" >>conf$$.sh
-- chmod +x conf$$.sh
-- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-- PATH_SEPARATOR=';'
-+as_nl='
-+'
-+export as_nl
-+# Printing a long string crashes Solaris 7 /usr/bin/printf.
-+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-+# Prefer a ksh shell builtin over an external printf program on Solaris,
-+# but without wasting forks for bash or zsh.
-+if test -z "$BASH_VERSION$ZSH_VERSION" \
-+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='print -r --'
-+ as_echo_n='print -rn --'
-+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='printf %s\n'
-+ as_echo_n='printf %s'
-+else
-+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-+ as_echo_n='/usr/ucb/echo -n'
- else
-- PATH_SEPARATOR=:
-+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-+ as_echo_n_body='eval
-+ arg=$1;
-+ case $arg in #(
-+ *"$as_nl"*)
-+ expr "X$arg" : "X\\(.*\\)$as_nl";
-+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-+ esac;
-+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-+ '
-+ export as_echo_n_body
-+ as_echo_n='sh -c $as_echo_n_body as_echo'
- fi
-- rm -f conf$$.sh
-+ export as_echo_body
-+ as_echo='sh -c $as_echo_body as_echo'
- fi
-
--# Support unset when possible.
--if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-- as_unset=unset
--else
-- as_unset=false
-+# The user is always right.
-+if test "${PATH_SEPARATOR+set}" != set; then
-+ PATH_SEPARATOR=:
-+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-+ PATH_SEPARATOR=';'
-+ }
- fi
-
-
-@@ -2867,20 +3511,18 @@
- # there to prevent editors from complaining about space-tab.
- # (If _AS_PATH_WALK were called with IFS unset, it would disable word
- # splitting by setting IFS to empty value.)
--as_nl='
--'
- IFS=" "" $as_nl"
-
- # Find who we are. Look in the path if we contain no directory separator.
--case $0 in
-+case $0 in #((
- *[\\/]* ) as_myself=$0 ;;
- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
- for as_dir in $PATH
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
--done
-+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-+ done
- IFS=$as_save_IFS
-
- ;;
-@@ -2891,32 +3533,111 @@
- as_myself=$0
- fi
- if test ! -f "$as_myself"; then
-- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-- { (exit 1); exit 1; }
-+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-+ exit 1
- fi
-
--# Work around bugs in pre-3.0 UWIN ksh.
--for as_var in ENV MAIL MAILPATH
--do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+# Unset variables that we do not need and which cause bugs (e.g. in
-+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
-+# suppresses any "Segmentation fault" message there. '((' could
-+# trigger a bug in pdksh 5.2.14.
-+for as_var in BASH_ENV ENV MAIL MAILPATH
-+do eval test x\${$as_var+set} = xset \
-+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
- done
- PS1='$ '
- PS2='> '
- PS4='+ '
-
- # NLS nuisances.
--for as_var in \
-- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-- LC_TELEPHONE LC_TIME
--do
-- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-- eval $as_var=C; export $as_var
-- else
-- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+LC_ALL=C
-+export LC_ALL
-+LANGUAGE=C
-+export LANGUAGE
-+
-+# CDPATH.
-+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-+
-+
-+# as_fn_error STATUS ERROR [LINENO LOG_FD]
-+# ----------------------------------------
-+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
-+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-+# script with STATUS, using 1 if that was 0.
-+as_fn_error ()
-+{
-+ as_status=$1; test $as_status -eq 0 && as_status=1
-+ if test "$4"; then
-+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
- fi
--done
-+ $as_echo "$as_me: error: $2" >&2
-+ as_fn_exit $as_status
-+} # as_fn_error
-+
-+
-+# as_fn_set_status STATUS
-+# -----------------------
-+# Set $? to STATUS, without forking.
-+as_fn_set_status ()
-+{
-+ return $1
-+} # as_fn_set_status
-+
-+# as_fn_exit STATUS
-+# -----------------
-+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
-+as_fn_exit ()
-+{
-+ set +e
-+ as_fn_set_status $1
-+ exit $1
-+} # as_fn_exit
-+
-+# as_fn_unset VAR
-+# ---------------
-+# Portably unset VAR.
-+as_fn_unset ()
-+{
-+ { eval $1=; unset $1;}
-+}
-+as_unset=as_fn_unset
-+# as_fn_append VAR VALUE
-+# ----------------------
-+# Append the text in VALUE to the end of the definition contained in VAR. Take
-+# advantage of any shell optimizations that allow amortized linear growth over
-+# repeated appends, instead of the typical quadratic growth present in naive
-+# implementations.
-+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
-+ eval 'as_fn_append ()
-+ {
-+ eval $1+=\$2
-+ }'
-+else
-+ as_fn_append ()
-+ {
-+ eval $1=\$$1\$2
-+ }
-+fi # as_fn_append
-+
-+# as_fn_arith ARG...
-+# ------------------
-+# Perform arithmetic evaluation on the ARGs, and store the result in the
-+# global $as_val. Take advantage of shells that can avoid forks. The arguments
-+# must be portable across $(()) and expr.
-+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
-+ eval 'as_fn_arith ()
-+ {
-+ as_val=$(( $* ))
-+ }'
-+else
-+ as_fn_arith ()
-+ {
-+ as_val=`expr "$@" || test $? -eq 1`
-+ }
-+fi # as_fn_arith
-+
-
--# Required to use basename.
- if expr a : '\(a\)' >/dev/null 2>&1 &&
- test "X`expr 00001 : '.*\(...\)'`" = X001; then
- as_expr=expr
-@@ -2930,13 +3651,17 @@
- as_basename=false
- fi
-
-+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-+ as_dirname=dirname
-+else
-+ as_dirname=false
-+fi
-
--# Name of the executable.
- as_me=`$as_basename -- "$0" ||
- $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
- X"$0" : 'X\(//\)$' \| \
- X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X/"$0" |
-+$as_echo X/"$0" |
- sed '/^.*\/\([^/][^/]*\)\/*$/{
- s//\1/
- q
-@@ -2951,104 +3676,103 @@
- }
- s/.*/./; q'`
-
--# CDPATH.
--$as_unset CDPATH
--
--
--
-- as_lineno_1=$LINENO
-- as_lineno_2=$LINENO
-- test "x$as_lineno_1" != "x$as_lineno_2" &&
-- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
--
-- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-- # uniformly replaced by the line number. The first 'sed' inserts a
-- # line-number line after each line using $LINENO; the second 'sed'
-- # does the real work. The second script uses 'N' to pair each
-- # line-number line with the line containing $LINENO, and appends
-- # trailing '-' during substitution so that $LINENO is not a special
-- # case at line end.
-- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-- # scripts with optimization help from Paolo Bonzini. Blame Lee
-- # E. McMahon (1931-1989) for sed's syntax. :-)
-- sed -n '
-- p
-- /[$]LINENO/=
-- ' <$as_myself |
-- sed '
-- s/[$]LINENO.*/&-/
-- t lineno
-- b
-- :lineno
-- N
-- :loop
-- s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-- t loop
-- s/-\n.*//
-- ' >$as_me.lineno &&
-- chmod +x "$as_me.lineno" ||
-- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-- { (exit 1); exit 1; }; }
--
-- # Don't try to exec as it changes $[0], causing all sort of problems
-- # (the dirname of $[0] is not the place where we might find the
-- # original and so on. Autoconf is especially sensitive to this).
-- . "./$as_me.lineno"
-- # Exit status is that of the last command.
-- exit
--}
--
--
--if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-- as_dirname=dirname
--else
-- as_dirname=false
--fi
-+# Avoid depending upon Character Ranges.
-+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-+as_cr_digits='0123456789'
-+as_cr_alnum=$as_cr_Letters$as_cr_digits
-
- ECHO_C= ECHO_N= ECHO_T=
--case `echo -n x` in
-+case `echo -n x` in #(((((
- -n*)
-- case `echo 'x\c'` in
-+ case `echo 'xy\c'` in
- *c*) ECHO_T=' ';; # ECHO_T is single tab character.
-- *) ECHO_C='\c';;
-+ xy) ECHO_C='\c';;
-+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null
-+ ECHO_T=' ';;
- esac;;
- *)
- ECHO_N='-n';;
- esac
-
--if expr a : '\(a\)' >/dev/null 2>&1 &&
-- test "X`expr 00001 : '.*\(...\)'`" = X001; then
-- as_expr=expr
--else
-- as_expr=false
--fi
--
- rm -f conf$$ conf$$.exe conf$$.file
- if test -d conf$$.dir; then
- rm -f conf$$.dir/conf$$.file
- else
- rm -f conf$$.dir
-- mkdir conf$$.dir
-+ mkdir conf$$.dir 2>/dev/null
- fi
--echo >conf$$.file
--if ln -s conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s='ln -s'
-- # ... but there are two gotchas:
-- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-- # In both cases, we have to default to `cp -p'.
-- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+if (echo >conf$$.file) 2>/dev/null; then
-+ if ln -s conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s='ln -s'
-+ # ... but there are two gotchas:
-+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-+ # In both cases, we have to default to `cp -p'.
-+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+ as_ln_s='cp -p'
-+ elif ln conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s=ln
-+ else
- as_ln_s='cp -p'
--elif ln conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s=ln
-+ fi
- else
- as_ln_s='cp -p'
- fi
- rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
- rmdir conf$$.dir 2>/dev/null
-
-+
-+# as_fn_mkdir_p
-+# -------------
-+# Create "$as_dir" as a directory, including parents if necessary.
-+as_fn_mkdir_p ()
-+{
-+
-+ case $as_dir in #(
-+ -*) as_dir=./$as_dir;;
-+ esac
-+ test -d "$as_dir" || eval $as_mkdir_p || {
-+ as_dirs=
-+ while :; do
-+ case $as_dir in #(
-+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-+ *) as_qdir=$as_dir;;
-+ esac
-+ as_dirs="'$as_qdir' $as_dirs"
-+ as_dir=`$as_dirname -- "$as_dir" ||
-+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+ X"$as_dir" : 'X\(//\)[^/]' \| \
-+ X"$as_dir" : 'X\(//\)$' \| \
-+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_dir" |
-+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)[^/].*/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\).*/{
-+ s//\1/
-+ q
-+ }
-+ s/.*/./; q'`
-+ test -d "$as_dir" && break
-+ done
-+ test -z "$as_dirs" || eval "mkdir $as_dirs"
-+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
-+
-+
-+} # as_fn_mkdir_p
- if mkdir -p . 2>/dev/null; then
-- as_mkdir_p=:
-+ as_mkdir_p='mkdir -p "$as_dir"'
- else
- test -d ./-p && rmdir ./-p
- as_mkdir_p=false
-@@ -3065,12 +3789,12 @@
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
-- test -d "$1/.";
-+ test -d "$1/.";
- else
-- case $1 in
-- -*)set "./$1";;
-+ case $1 in #(
-+ -*)set "./$1";;
- esac;
-- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
-@@ -3085,13 +3809,19 @@
-
-
- exec 6>&1
-+## ----------------------------------- ##
-+## Main body of $CONFIG_STATUS script. ##
-+## ----------------------------------- ##
-+_ASEOF
-+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
-
--# Save the log message, to keep $[0] and so on meaningful, and to
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+# Save the log message, to keep $0 and so on meaningful, and to
- # report actual input values of CONFIG_FILES etc. instead of their
- # values after options handling.
- ac_log="
- This file was extended by $as_me, which was
--generated by GNU Autoconf 2.61. Invocation command line was
-+generated by GNU Autoconf 2.67. Invocation command line was
-
- CONFIG_FILES = $CONFIG_FILES
- CONFIG_HEADERS = $CONFIG_HEADERS
-@@ -3104,59 +3834,74 @@
-
- _ACEOF
-
--cat >>$CONFIG_STATUS <<_ACEOF
-+case $ac_config_files in *"
-+"*) set x $ac_config_files; shift; ac_config_files=$*;;
-+esac
-+
-+
-+
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- # Files that config.status was made for.
- config_files="$ac_config_files"
-
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- ac_cs_usage="\
--\`$as_me' instantiates files from templates according to the
--current configuration.
-+\`$as_me' instantiates files and other configuration actions
-+from templates according to the current configuration. Unless the files
-+and actions are specified as TAGs, all are instantiated by default.
-
--Usage: $0 [OPTIONS] [FILE]...
-+Usage: $0 [OPTION]... [TAG]...
-
- -h, --help print this help, then exit
- -V, --version print version number and configuration settings, then exit
-- -q, --quiet do not print progress messages
-+ --config print configuration, then exit
-+ -q, --quiet, --silent
-+ do not print progress messages
- -d, --debug don't remove temporary files
- --recheck update $as_me by reconfiguring in the same conditions
-- --file=FILE[:TEMPLATE]
-- instantiate the configuration file FILE
-+ --file=FILE[:TEMPLATE]
-+ instantiate the configuration file FILE
-
- Configuration files:
- $config_files
-
--Report bugs to <bug-autoconf@gnu.org>."
-+Report bugs to the package provider."
-
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
- ac_cs_version="\\
- config.status
--configured by $0, generated by GNU Autoconf 2.61,
-- with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
-+configured by $0, generated by GNU Autoconf 2.67,
-+ with options \\"\$ac_cs_config\\"
-
--Copyright (C) 2006 Free Software Foundation, Inc.
-+Copyright (C) 2010 Free Software Foundation, Inc.
- This config.status script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it."
-
- ac_pwd='$ac_pwd'
- srcdir='$srcdir'
-+test -n "\$AWK" || AWK=awk
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
--# If no file are specified by the user, then we need to provide default
--# value. By we need to know if files were specified by the user.
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+# The default lists apply if the user does not specify any file.
- ac_need_defaults=:
- while test $# != 0
- do
- case $1 in
-- --*=*)
-+ --*=?*)
- ac_option=`expr "X$1" : 'X\([^=]*\)='`
- ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
- ac_shift=:
- ;;
-+ --*=)
-+ ac_option=`expr "X$1" : 'X\([^=]*\)='`
-+ ac_optarg=
-+ ac_shift=:
-+ ;;
- *)
- ac_option=$1
- ac_optarg=$2
-@@ -3169,25 +3914,30 @@
- -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
- ac_cs_recheck=: ;;
- --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
-- echo "$ac_cs_version"; exit ;;
-+ $as_echo "$ac_cs_version"; exit ;;
-+ --config | --confi | --conf | --con | --co | --c )
-+ $as_echo "$ac_cs_config"; exit ;;
- --debug | --debu | --deb | --de | --d | -d )
- debug=: ;;
- --file | --fil | --fi | --f )
- $ac_shift
-- CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-+ case $ac_optarg in
-+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
-+ '') as_fn_error $? "missing file argument" ;;
-+ esac
-+ as_fn_append CONFIG_FILES " '$ac_optarg'"
- ac_need_defaults=false;;
- --he | --h | --help | --hel | -h )
-- echo "$ac_cs_usage"; exit ;;
-+ $as_echo "$ac_cs_usage"; exit ;;
- -q | -quiet | --quiet | --quie | --qui | --qu | --q \
- | -silent | --silent | --silen | --sile | --sil | --si | --s)
- ac_cs_silent=: ;;
-
- # This is an error.
-- -*) { echo "$as_me: error: unrecognized option: $1
--Try \`$0 --help' for more information." >&2
-- { (exit 1); exit 1; }; } ;;
-+ -*) as_fn_error $? "unrecognized option: \`$1'
-+Try \`$0 --help' for more information." ;;
-
-- *) ac_config_targets="$ac_config_targets $1"
-+ *) as_fn_append ac_config_targets " $1"
- ac_need_defaults=false ;;
-
- esac
-@@ -3202,30 +3952,32 @@
- fi
-
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- if \$ac_cs_recheck; then
-- echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-- CONFIG_SHELL=$SHELL
-+ set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+ shift
-+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
-+ CONFIG_SHELL='$SHELL'
- export CONFIG_SHELL
-- exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+ exec "\$@"
- fi
-
- _ACEOF
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- exec 5>>config.log
- {
- echo
- sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
- ## Running $as_me. ##
- _ASBOX
-- echo "$ac_log"
-+ $as_echo "$ac_log"
- } >&5
-
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-
- # Handling of arguments.
- for ac_config_target in $ac_config_targets
-@@ -3233,9 +3985,7 @@
- case $ac_config_target in
- "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-
-- *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
--echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-- { (exit 1); exit 1; }; };;
-+ *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
- esac
- done
-
-@@ -3260,7 +4010,7 @@
- trap 'exit_status=$?
- { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
- ' 0
-- trap '{ (exit 1); exit 1; }' 1 2 13 15
-+ trap 'as_fn_exit 1' 1 2 13 15
- }
- # Create a (secure) tmp directory for tmp files.
-
-@@ -3271,145 +4021,177 @@
- {
- tmp=./conf$$-$RANDOM
- (umask 077 && mkdir "$tmp")
--} ||
--{
-- echo "$me: cannot create a temporary directory in ." >&2
-- { (exit 1); exit 1; }
--}
--
--#
--# Set up the sed scripts for CONFIG_FILES section.
--#
-+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
-
--# No need to generate the scripts if there are no CONFIG_FILES.
--# This happens for instance when ./config.status config.h
-+# Set up the scripts for CONFIG_FILES section.
-+# No need to generate them if there are no CONFIG_FILES.
-+# This happens for instance with `./config.status config.h'.
- if test -n "$CONFIG_FILES"; then
-
--_ACEOF
-
-+ac_cr=`echo X | tr X '\015'`
-+# On cygwin, bash can eat \r inside `` if the user requested igncr.
-+# But we know of no other shell where ac_cr would be empty at this
-+# point, so we can use a bashism as a fallback.
-+if test "x$ac_cr" = x; then
-+ eval ac_cr=\$\'\\r\'
-+fi
-+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
-+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-+ ac_cs_awk_cr='\\r'
-+else
-+ ac_cs_awk_cr=$ac_cr
-+fi
-+
-+echo 'BEGIN {' >"$tmp/subs1.awk" &&
-+_ACEOF
-
-
-+{
-+ echo "cat >conf$$subs.awk <<_ACEOF" &&
-+ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
-+ echo "_ACEOF"
-+} >conf$$subs.sh ||
-+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
-+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
- ac_delim='%!_!# '
- for ac_last_try in false false false false false :; do
-- cat >conf$$subs.sed <<_ACEOF
--SHELL!$SHELL$ac_delim
--PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
--PACKAGE_NAME!$PACKAGE_NAME$ac_delim
--PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
--PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
--PACKAGE_STRING!$PACKAGE_STRING$ac_delim
--PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
--exec_prefix!$exec_prefix$ac_delim
--prefix!$prefix$ac_delim
--program_transform_name!$program_transform_name$ac_delim
--bindir!$bindir$ac_delim
--sbindir!$sbindir$ac_delim
--libexecdir!$libexecdir$ac_delim
--datarootdir!$datarootdir$ac_delim
--datadir!$datadir$ac_delim
--sysconfdir!$sysconfdir$ac_delim
--sharedstatedir!$sharedstatedir$ac_delim
--localstatedir!$localstatedir$ac_delim
--includedir!$includedir$ac_delim
--oldincludedir!$oldincludedir$ac_delim
--docdir!$docdir$ac_delim
--infodir!$infodir$ac_delim
--htmldir!$htmldir$ac_delim
--dvidir!$dvidir$ac_delim
--pdfdir!$pdfdir$ac_delim
--psdir!$psdir$ac_delim
--libdir!$libdir$ac_delim
--localedir!$localedir$ac_delim
--mandir!$mandir$ac_delim
--DEFS!$DEFS$ac_delim
--ECHO_C!$ECHO_C$ac_delim
--ECHO_N!$ECHO_N$ac_delim
--ECHO_T!$ECHO_T$ac_delim
--LIBS!$LIBS$ac_delim
--build_alias!$build_alias$ac_delim
--host_alias!$host_alias$ac_delim
--target_alias!$target_alias$ac_delim
--CC!$CC$ac_delim
--CFLAGS!$CFLAGS$ac_delim
--LDFLAGS!$LDFLAGS$ac_delim
--CPPFLAGS!$CPPFLAGS$ac_delim
--ac_ct_CC!$ac_ct_CC$ac_delim
--EXEEXT!$EXEEXT$ac_delim
--OBJEXT!$OBJEXT$ac_delim
--eap_tnc_cflags!$eap_tnc_cflags$ac_delim
--eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim
--targetname!$targetname$ac_delim
--LIBOBJS!$LIBOBJS$ac_delim
--LTLIBOBJS!$LTLIBOBJS$ac_delim
--_ACEOF
-+ . ./conf$$subs.sh ||
-+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
-
-- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then
-+ ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
-+ if test $ac_delim_n = $ac_delim_num; then
- break
- elif $ac_last_try; then
-- { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
--echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
- else
- ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
- fi
- done
-+rm -f conf$$subs.sh
-
--ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
--if test -n "$ac_eof"; then
-- ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-- ac_eof=`expr $ac_eof + 1`
--fi
--
--cat >>$CONFIG_STATUS <<_ACEOF
--cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
--/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
--_ACEOF
--sed '
--s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
--s/^/s,@/; s/!/@,|#_!!_#|/
--:n
--t n
--s/'"$ac_delim"'$/,g/; t
--s/$/\\/; p
--N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
--' >>$CONFIG_STATUS <conf$$subs.sed
--rm -f conf$$subs.sed
--cat >>$CONFIG_STATUS <<_ACEOF
--:end
--s/|#_!!_#|//g
--CEOF$ac_eof
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
- _ACEOF
-+sed -n '
-+h
-+s/^/S["/; s/!.*/"]=/
-+p
-+g
-+s/^[^!]*!//
-+:repl
-+t repl
-+s/'"$ac_delim"'$//
-+t delim
-+:nl
-+h
-+s/\(.\{148\}\)..*/\1/
-+t more1
-+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
-+p
-+n
-+b repl
-+:more1
-+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-+p
-+g
-+s/.\{148\}//
-+t nl
-+:delim
-+h
-+s/\(.\{148\}\)..*/\1/
-+t more2
-+s/["\\]/\\&/g; s/^/"/; s/$/"/
-+p
-+b
-+:more2
-+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-+p
-+g
-+s/.\{148\}//
-+t delim
-+' <conf$$subs.awk | sed '
-+/^[^""]/{
-+ N
-+ s/\n//
-+}
-+' >>$CONFIG_STATUS || ac_write_fail=1
-+rm -f conf$$subs.awk
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+_ACAWK
-+cat >>"\$tmp/subs1.awk" <<_ACAWK &&
-+ for (key in S) S_is_set[key] = 1
-+ FS = ""
-+
-+}
-+{
-+ line = $ 0
-+ nfields = split(line, field, "@")
-+ substed = 0
-+ len = length(field[1])
-+ for (i = 2; i < nfields; i++) {
-+ key = field[i]
-+ keylen = length(key)
-+ if (S_is_set[key]) {
-+ value = S[key]
-+ line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
-+ len += length(value) + length(field[++i])
-+ substed = 1
-+ } else
-+ len += 1 + keylen
-+ }
-+
-+ print line
-+}
-
-+_ACAWK
-+_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
-+ sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
-+else
-+ cat
-+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-+ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
-+_ACEOF
-
--# VPATH may cause trouble with some makes, so we remove $(srcdir),
--# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
-+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
- # trailing colons and then remove the whole line if VPATH becomes empty
- # (actually we leave an empty line to preserve line numbers).
- if test "x$srcdir" = x.; then
-- ac_vpsub='/^[ ]*VPATH[ ]*=/{
--s/:*\$(srcdir):*/:/
--s/:*\${srcdir}:*/:/
--s/:*@srcdir@:*/:/
--s/^\([^=]*=[ ]*\):*/\1/
-+ ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{
-+h
-+s///
-+s/^/:/
-+s/[ ]*$/:/
-+s/:\$(srcdir):/:/g
-+s/:\${srcdir}:/:/g
-+s/:@srcdir@:/:/g
-+s/^:*//
- s/:*$//
-+x
-+s/\(=[ ]*\).*/\1/
-+G
-+s/\n//
- s/^[^=]*=[ ]*$//
- }'
- fi
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- fi # test -n "$CONFIG_FILES"
-
-
--for ac_tag in :F $CONFIG_FILES
-+eval set X " :F $CONFIG_FILES "
-+shift
-+for ac_tag
- do
- case $ac_tag in
- :[FHLC]) ac_mode=$ac_tag; continue;;
- esac
- case $ac_mode$ac_tag in
- :[FHL]*:*);;
-- :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
--echo "$as_me: error: Invalid tag $ac_tag." >&2;}
-- { (exit 1); exit 1; }; };;
-+ :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
- :[FH]-) ac_tag=-:-;;
- :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
- esac
-@@ -3437,26 +4219,34 @@
- [\\/$]*) false;;
- *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
- esac ||
-- { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
--echo "$as_me: error: cannot find input file: $ac_f" >&2;}
-- { (exit 1); exit 1; }; };;
-+ as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
- esac
-- ac_file_inputs="$ac_file_inputs $ac_f"
-+ case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
-+ as_fn_append ac_file_inputs " '$ac_f'"
- done
-
- # Let's still pretend it is `configure' which instantiates (i.e., don't
- # use $as_me), people would be surprised to read:
- # /* config.h. Generated by config.status. */
-- configure_input="Generated from "`IFS=:
-- echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
-+ configure_input='Generated from '`
-+ $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
-+ `' by configure.'
- if test x"$ac_file" != x-; then
- configure_input="$ac_file. $configure_input"
-- { echo "$as_me:$LINENO: creating $ac_file" >&5
--echo "$as_me: creating $ac_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
-+$as_echo "$as_me: creating $ac_file" >&6;}
- fi
-+ # Neutralize special characters interpreted by sed in replacement strings.
-+ case $configure_input in #(
-+ *\&* | *\|* | *\\* )
-+ ac_sed_conf_input=`$as_echo "$configure_input" |
-+ sed 's/[\\\\&|]/\\\\&/g'`;; #(
-+ *) ac_sed_conf_input=$configure_input;;
-+ esac
-
- case $ac_tag in
-- *:-:* | *:-) cat >"$tmp/stdin";;
-+ *:-:* | *:-) cat >"$tmp/stdin" \
-+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
- esac
- ;;
- esac
-@@ -3466,42 +4256,7 @@
- X"$ac_file" : 'X\(//\)[^/]' \| \
- X"$ac_file" : 'X\(//\)$' \| \
- X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$ac_file" |
-- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-- s//\1/
-- q
-- }
-- /^X\(\/\/\)[^/].*/{
-- s//\1/
-- q
-- }
-- /^X\(\/\/\)$/{
-- s//\1/
-- q
-- }
-- /^X\(\/\).*/{
-- s//\1/
-- q
-- }
-- s/.*/./; q'`
-- { as_dir="$ac_dir"
-- case $as_dir in #(
-- -*) as_dir=./$as_dir;;
-- esac
-- test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-- as_dirs=
-- while :; do
-- case $as_dir in #(
-- *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
-- *) as_qdir=$as_dir;;
-- esac
-- as_dirs="'$as_qdir' $as_dirs"
-- as_dir=`$as_dirname -- "$as_dir" ||
--$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-- X"$as_dir" : 'X\(//\)[^/]' \| \
-- X"$as_dir" : 'X\(//\)$' \| \
-- X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$as_dir" |
-+$as_echo X"$ac_file" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- s//\1/
- q
-@@ -3519,20 +4274,15 @@
- q
- }
- s/.*/./; q'`
-- test -d "$as_dir" && break
-- done
-- test -z "$as_dirs" || eval "mkdir $as_dirs"
-- } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
--echo "$as_me: error: cannot create directory $as_dir" >&2;}
-- { (exit 1); exit 1; }; }; }
-+ as_dir="$ac_dir"; as_fn_mkdir_p
- ac_builddir=.
-
- case "$ac_dir" in
- .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *)
-- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
- # A ".." for each directory in $ac_dir_suffix.
-- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
- case $ac_top_builddir_sub in
- "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-@@ -3568,12 +4318,12 @@
-
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- # If the template does not know about datarootdir, expand it.
- # FIXME: This hack should be removed a few years after 2.60.
- ac_datarootdir_hack=; ac_datarootdir_seen=
--
--case `sed -n '/datarootdir/ {
-+ac_sed_dataroot='
-+/datarootdir/ {
- p
- q
- }
-@@ -3581,36 +4331,37 @@
- /@docdir@/p
- /@infodir@/p
- /@localedir@/p
--/@mandir@/p
--' $ac_file_inputs` in
-+/@mandir@/p'
-+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
- *datarootdir*) ac_datarootdir_seen=yes;;
- *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-- { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
--echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- ac_datarootdir_hack='
- s&@datadir@&$datadir&g
- s&@docdir@&$docdir&g
- s&@infodir@&$infodir&g
- s&@localedir@&$localedir&g
- s&@mandir@&$mandir&g
-- s&\\\${datarootdir}&$datarootdir&g' ;;
-+ s&\\\${datarootdir}&$datarootdir&g' ;;
- esac
- _ACEOF
-
- # Neutralize VPATH when `$srcdir' = `.'.
- # Shell code in configure.ac might set extrasub.
- # FIXME: do we really want to maintain this feature?
--cat >>$CONFIG_STATUS <<_ACEOF
-- sed "$ac_vpsub
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+ac_sed_extra="$ac_vpsub
- $extrasub
- _ACEOF
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- :t
- /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
--s&@configure_input@&$configure_input&;t t
-+s|@configure_input@|$ac_sed_conf_input|;t t
- s&@top_builddir@&$ac_top_builddir_sub&;t t
-+s&@top_build_prefix@&$ac_top_build_prefix&;t t
- s&@srcdir@&$ac_srcdir&;t t
- s&@abs_srcdir@&$ac_abs_srcdir&;t t
- s&@top_srcdir@&$ac_top_srcdir&;t t
-@@ -3619,21 +4370,24 @@
- s&@abs_builddir@&$ac_abs_builddir&;t t
- s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
- $ac_datarootdir_hack
--" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
-+"
-+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
-
- test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
- { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
- { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-- { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
--which seems to be undefined. Please make sure it is defined." >&5
--echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
--which seems to be undefined. Please make sure it is defined." >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-+which seems to be undefined. Please make sure it is defined" >&5
-+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-+which seems to be undefined. Please make sure it is defined" >&2;}
-
- rm -f "$tmp/stdin"
- case $ac_file in
-- -) cat "$tmp/out"; rm -f "$tmp/out";;
-- *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
-- esac
-+ -) cat "$tmp/out" && rm -f "$tmp/out";;
-+ *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
-+ esac \
-+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
- ;;
-
-
-@@ -3643,11 +4397,13 @@
- done # for ac_tag
-
-
--{ (exit 0); exit 0; }
-+as_fn_exit 0
- _ACEOF
--chmod +x $CONFIG_STATUS
- ac_clean_files=$ac_clean_files_save
-
-+test $ac_write_fail = 0 ||
-+ as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
-+
-
- # configure is writing to config.log, and then calls config.status.
- # config.status does its own redirection, appending to config.log.
-@@ -3667,7 +4423,10 @@
- exec 5>>config.log
- # Use ||, not &&, to avoid exiting from the if with $? = 1, which
- # would make configure fail if this is the last instruction.
-- $ac_cs_success || { (exit 1); exit 1; }
-+ $ac_cs_success || as_fn_exit 1
-+fi
-+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
-+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
- fi
--
-
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-12-04 19:38:00.241420966 +0100
-@@ -2,12 +2,21 @@
- AC_REVISION($Revision$)
- AC_DEFUN(modname,[rlm_eap_tnc])
-
-+eap_tnc_cflags=
-+eap_tnc_ldflags=-lnaaeap
-+
- if test x$with_[]modname != xno; then
-
-- AC_CHECK_LIB(TNCS, exchangeTNCCSMessages)
-- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
-- AC_MSG_WARN([the TNCS library isn't found!])
-- fail="$fail -lTNCS"
-+ AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",)
-+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
-+ AC_MSG_WARN([the NAAEAP library was not found!])
-+ fail="$fail -lNAAEAP"
-+ fi
-+
-+ AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",)
-+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
-+ AC_MSG_WARN([the naaeap header was not found!])
-+ fail="$fail -Inaaeap.h"
- fi
-
- targetname=modname
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-12-04 19:38:00.241420966 +0100
-@@ -1,12 +1,12 @@
- /*
- * eap_tnc.c EAP TNC functionality.
- *
-- * This software is Copyright (C) 2006,2007 FH Hannover
-+ * This software is Copyright (C) 2006-2009 FH Hannover
- *
- * Portions of this code unrelated to FreeRADIUS are available
- * separately under a commercial license. If you require an
- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-+ * contact trust@f4-i.fh-hannover.de for details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -23,230 +23,41 @@
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
- *
- */
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 213ede51c46a8c533961be8715395c0ab1f6b5c9 $")
--
--
--/*
-- *
-- * MD5 Packet Format in EAP Type-Data
-- * --- ------ ------ -- --- ---------
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Value-Size | Value ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Name ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- *
-- * EAP-TNC Packet Format in EAP Type-Data
-- *
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Flags |Ver | Data Length ...
-- * |L M S R R|=1 |
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |... | Data ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
-- *
-- */
--
- #include <stdio.h>
- #include <stdlib.h>
- #include "eap.h"
-
- #include "eap_tnc.h"
-
-- /*
-- * WTF is wrong with htonl ?
-- */
--static uint32_t ByteSwap2 (uint32_t nLongNumber)
--{
-- return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+
-- ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24));
--}
--
- /*
-- * Allocate a new TNC_PACKET
-+ * Forms an EAP_REQUEST packet from the EAP_TNC specific data.
- */
--TNC_PACKET *eaptnc_alloc(void)
-+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code)
- {
-- TNC_PACKET *rp;
--
-- if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- return NULL;
-+ // check parameters
-+ if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){
-+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code);
-+ return 0;
- }
-- memset(rp, 0, sizeof(TNC_PACKET));
-- return rp;
--}
--
--/*
-- * Free TNC_PACKET
-- */
--void eaptnc_free(TNC_PACKET **tnc_packet_ptr)
--{
-- TNC_PACKET *tnc_packet;
--
-- if (!tnc_packet_ptr) return;
-- tnc_packet = *tnc_packet_ptr;
-- if (tnc_packet == NULL) return;
--
-- if (tnc_packet->data) free(tnc_packet->data);
-
-- free(tnc_packet);
--
-- *tnc_packet_ptr = NULL;
--}
--
--/*
-- * We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back
-- */
--TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds)
--{
-- tnc_packet_t *data;
-- TNC_PACKET *packet;
-- /*
-- * We need a response, of type EAP-TNC
-- */
-- if (!eap_ds ||
-- !eap_ds->response ||
-- (eap_ds->response->code != PW_TNC_RESPONSE) ||
-- eap_ds->response->type.type != PW_EAP_TNC ||
-- !eap_ds->response->type.data ||
-- (eap_ds->response->length <= TNC_HEADER_LEN) ||
-- (eap_ds->response->type.data[0] <= 0)) {
-- radlog(L_ERR, "rlm_eap_tnc: corrupted data");
-- return NULL;
-+ // further check parameters
-+ if(handler->opaque == NULL || handler->eap_ds == NULL){
-+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds);
-+ return 0;
- }
-- packet = eaptnc_alloc();
-- if (!packet) return NULL;
--
-
-- packet->code = eap_ds->response->code;
-- packet->id = eap_ds->response->id;
-- packet->length = eap_ds->response->length;
--
-- data = (tnc_packet_t *)eap_ds->response->type.data;
-- /*
-- * Already checked the size above.
-- */
-- packet->flags_ver = data->flags_ver;
-- unsigned char *ptr = (unsigned char*)data;
--
--
-- DEBUG2("Flags/Ver: %x\n", packet->flags_ver);
-- int thisDataLength;
-- int dataStart;
-- if(TNC_LENGTH_INCLUDED(packet->flags_ver)){
-- DEBUG2("data_length included\n");
--// memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4);
-- //packet->data_length = data->data_length;
-- memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH);
-- DEBUG2("data_length: %x\n", packet->data_length);
-- DEBUG2("data_length: %d\n", packet->data_length);
-- DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length));
-- DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length));
-- packet->data_length = ByteSwap2(packet->data_length);
-- thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver
-- dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH;
-- }else{
-- DEBUG2("no data_length included\n");
-- thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- packet->data_length = 0;
-- dataStart = TNC_FLAGS_VERSION_LENGTH;
--
-- }
-- /*
-- * Allocate room for the data, and copy over the data.
-- */
-- packet->data = malloc(thisDataLength);
-- if (packet->data == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- eaptnc_free(&packet);
-- return NULL;
-+ if(handler->eap_ds->request == NULL){
-+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request);
-+ return 0;
- }
--
-- memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength);
--
-- return packet;
--}
-
--
--/*
-- * Compose the portions of the reply packet specific to the
-- * EAP-TNC protocol, in the EAP reply typedata
-- */
--int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply)
--{
-- uint8_t *ptr;
--
--
-- if (reply->code < 3) {
-- //fill: EAP-Type (0x888e)
-- eap_ds->request->type.type = PW_EAP_TNC;
-- DEBUG2("TYPE: EAP-TNC set\n");
-- rad_assert(reply->length > 0);
--
-- //alloc enough space for whole TNC-Packet (from Code on)
-- eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*));
-- DEBUG2("Malloc %d bytes for packet\n", reply->length);
-- if (eap_ds->request->type.data == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- return 0;
-- }
-- //put pointer at position where data starts (behind Type)
-- ptr = eap_ds->request->type.data;
-- //*ptr = (uint8_t)(reply->data_length & 0xFF);
--
-- //ptr++;
-- *ptr = reply->flags_ver;
-- DEBUG2("Set Flags/Version: %d\n", *ptr);
-- if(reply->data_length!=0){
-- DEBUG2("Set data-length: %d\n", reply->data_length);
-- ptr++; //move to start-position of "data_length"
-- DEBUG2("Set data-length: %x\n", reply->data_length);
-- DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length));
-- unsigned long swappedDataLength = ByteSwap2(reply->data_length);
-- //DEBUG2("DATA-length: %d", reply->data_
-- memcpy(ptr, &swappedDataLength, 4);
-- //*ptr = swappedDataLength;
-- }
-- uint16_t thisDataLength=0;
-- if(reply->data!=NULL){
-- DEBUG2("Adding TNCCS-Data ");
-- int offset;
-- //if data_length-Field present
-- if(reply->data_length !=0){
-- DEBUG2("with Fragmentation\n");
-- offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4
-- thisDataLength = reply->length-TNC_PACKET_LENGTH;
-- }else{ //data_length-Field not present
-- DEBUG2("without Fragmentation\n");
-- offset = 1;
-- thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- }
-- DEBUG2("TNCCS-Datalength: %d\n", thisDataLength);
-- ptr=ptr+offset; //move to start-position of "data"
-- memcpy(ptr,reply->data, thisDataLength);
-- }else{
-- DEBUG2("No TNCCS-Data present");
-- }
--
-- //the length of the TNC-packet (behind Type)
-- if(reply->data_length!=0){
-- eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver
-- }else{
-- eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver
-- }
-- DEBUG2("Packet built\n");
--
-- } else {
-- eap_ds->request->type.length = 0;
-- }
-- eap_ds->request->code = reply->code;
-+ // fill EAP data to handler
-+ handler->eap_ds->request->code = code;
-+ handler->eap_ds->request->type.type = PW_EAP_TNC;
-+ // fill EAP TYPE specific data to handler
-+ handler->eap_ds->request->type.length = length;
-+ free(handler->eap_ds->request->type.data);
-+ handler->eap_ds->request->type.data = request;
-
- return 1;
- }
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-12-04 19:38:00.241420966 +0100
-@@ -1,10 +1,10 @@
- /*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-+ * This software is Copyright (C) 2006-2009 FH Hannover
- *
- * Portions of this code unrelated to FreeRADIUS are available
- * separately under a commercial license. If you require an
- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-+ * contact trust@f4-i.fh-hannover.de for details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -26,105 +26,20 @@
- #define _EAP_TNC_H
-
- #include "eap.h"
-+#include <naaeap/naaeap.h>
-
--#define PW_TNC_REQUEST 1
--#define PW_TNC_RESPONSE 2
--#define PW_TNC_SUCCESS 3
--#define PW_TNC_FAILURE 4
--#define PW_TNC_MAX_CODES 4
--
--#define TNC_HEADER_LEN 4
--#define TNC_CHALLENGE_LEN 16
--#define TNC_START_LEN 8
--
--#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6
--#define TNC_PACKET_LENGTH 10
--#define TNC_DATA_LENGTH_LENGTH 4
--#define TNC_FLAGS_VERSION_LENGTH 1
--
--typedef unsigned int VlanAccessMode;
--
--#define VLAN_ISOLATE 97
--#define VLAN_ACCESS 2
--/*
-- ****
-- * EAP - MD5 doesnot specify code, id & length but chap specifies them,
-- * for generalization purpose, complete header should be sent
-- * and not just value_size, value and name.
-- * future implementation.
-- *
-- * Huh? What does that mean?
-- */
-+#define SET_START(x) ((x) | (0x20))
-
--/*
-+/**
-+ * Composes the EAP packet.
- *
-- * MD5 Packet Format in EAP Type-Data
-- * --- ------ ------ -- --- ---------
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Value-Size | Value ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Name ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- *
-- * EAP-TNC Packet Format in EAP Type-Data
-- *
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Flags |Ver | Data Length ...
-- * |L M S R R|=1 |
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |... | Data ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
-+ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate
-+ * @param request The EAP_TNC packet received from NAA-TNCS
-+ * @param length The length of the EAP_TNC packet received from NAA-TNCS
-+ * @param code EAP_CODE for the request
- *
-+ * @return True if operation was successful, otherwise false.
- */
--
--/* eap packet structure */
--typedef struct tnc_packet_t {
--/*
-- uint8_t code;
-- uint8_t id;
-- uint16_t length;
--*/
-- uint8_t flags_ver;
-- uint32_t data_length;
-- uint8_t *data;
--} tnc_packet_t;
--
--typedef struct tnc_packet {
-- uint8_t code;
-- uint8_t id;
-- uint16_t length;
-- uint8_t flags_ver;
-- uint32_t data_length;
-- uint8_t *data;
--} TNC_PACKET;
--
--#define TNC_START(x) (((x) & 0x20) != 0)
--#define TNC_MORE_FRAGMENTS(x) (((x) & 0x40) != 0)
--#define TNC_LENGTH_INCLUDED(x) (((x) & 0x80) != 0)
--#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0)
--#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1)
--
--#define SET_START(x) ((x) | (0x20))
--#define SET_MORE_FRAGMENTS(x) ((x) | (0x40))
--#define SET_LENGTH_INCLUDED(x) ((x) | (0x80))
--
--
--/* function declarations here */
--
--TNC_PACKET *eaptnc_alloc(void);
--void eaptnc_free(TNC_PACKET **tnc_packet_ptr);
--
--int eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply);
--TNC_PACKET *eaptnc_extract(EAP_DS *auth);
--int eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch);
--
--
--
--
-+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code);
-
- #endif /*_EAP_TNC_H*/
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-12-04 19:38:49.277421870 +0100
-@@ -3,8 +3,8 @@
- #
-
- TARGET = @targetname@
--SRCS = rlm_eap_tnc.c eap_tnc.c tncs_connect.c
--HEADERS = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h
-+SRCS = rlm_eap_tnc.c eap_tnc.c
-+HEADERS = eap_tnc.h ../../eap.h ../../rlm_eap.h
- RLM_CFLAGS = -I../.. -I../../libeap @eap_tnc_cflags@
- RLM_LIBS = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la
- RLM_INSTALL =
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-12-04 19:38:00.241420966 +0100
-@@ -1,12 +1,12 @@
- /*
- * rlm_eap_tnc.c Handles that are called from eap
- *
-- * This software is Copyright (C) 2006,2007 FH Hannover
-+ * This software is Copyright (C) 2006-2009 FH Hannover
- *
- * Portions of this code unrelated to FreeRADIUS are available
- * separately under a commercial license. If you require an
- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-+ * contact trust@f4-i.fh-hannover.de for details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -26,96 +26,262 @@
- * Copyright (C) 2007 Alan DeKok <aland@deployingradius.com>
- */
-
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 985ac01f384110b9a46ec8e84592351c21b3f09a $")
-+/*
-+ * EAP-TNC Packet with EAP Header, general structure
-+ *
-+ * 0 1 2 3
-+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Code | Identifier | Length |
-+ * | | | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Type | Flags | Ver | Data Length |
-+ * | |L M S R R| =1 | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Data Length | Data ...
-+ * | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ */
-
- #include <freeradius-devel/autoconf.h>
-
- #include <stdio.h>
- #include <stdlib.h>
-
--#include "tncs_connect.h"
- #include "eap_tnc.h"
--#include "tncs.h"
-+#include <naaeap/naaeap.h>
- #include <freeradius-devel/rad_assert.h>
-+//#include <freeradius-devel/libradius.h>
-
--typedef struct rlm_eap_tnc_t {
-- char *vlan_access;
-- char *vlan_isolate;
-- char *tnc_path;
--} rlm_eap_tnc_t;
-+#include <netinet/in.h>
-
--static int sessionCounter=0;
-+/**
-+ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type.
-+ * The maximum length of the calculated string is 70 (not including the trailing '\0').
-+ *
-+ * @return the number of bytes written to out (not including the trailing '\0')
-+ */
-+static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength)
-+{
-+ VALUE_PAIR *vp = NULL;
-+ uint32_t nas_port = 0;
-+ uint32_t nas_ip = 0;
-+ uint32_t nas_port_type = 0;
-+
-+ char out_nas_port[11];
-+ char out_nas_ip_byte_0[4];
-+ char out_nas_ip_byte_1[4];
-+ char out_nas_ip_byte_2[4];
-+ char out_nas_ip_byte_3[4];
-+ char out_nas_port_type[11];
-+
-+ // check for NULL
-+ if (radius_packet == NULL) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!");
-+ return 0;
-+ }
-+
-+ // read NAS port, ip and port type
-+ for (vp = radius_packet->vps; vp; vp=vp->next) {
-+ switch (vp->attribute) {
-+ case PW_NAS_PORT:
-+ nas_port = vp->vp_integer;
-+ DEBUG("NAS scr port = %u\n", nas_port);
-+ break;
-+ case PW_NAS_IP_ADDRESS:
-+ nas_ip = vp->vp_ipaddr;
-+ DEBUG("NAS scr ip = %X\n", ntohl(nas_ip));
-+ break;
-+ case PW_NAS_PORT_TYPE:
-+ nas_port_type = vp->vp_integer;
-+ DEBUG("NAS scr port type = %u\n", nas_port_type);
-+ break;
-+ }
-+ }
-+
-+ snprintf(out_nas_port, 11, "%u", nas_port);
-+ snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF);
-+ snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF);
-+ snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF);
-+ snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF);
-+ snprintf(out_nas_port_type, 11, "%u", nas_port_type);
-+
-+ return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type);
-+}
-+
-+/*
-+ * This function is called when the FreeRADIUS attach this module.
-+ */
-+static int tnc_attach(CONF_SECTION *conf, void **type_data)
-+{
-+ // initialize NAA-EAP
-+ DEBUG2("TNC-ATTACH initializing NAA-EAP");
-+ TNC_Result result = initializeDefault();
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()");
-+ return -1;
-+ }
-+ return 0;
-+}
-+
-+/*
-+ * This function is called when the FreeRADIUS detach this module.
-+ */
-+static int tnc_detach(void *args)
-+{
-+ // terminate NAA-EAP
-+ DEBUG2("TNC-TERMINATE terminating NAA-EAP");
-+ TNC_Result result = terminate();
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()");
-+ return -1;
-+ }
-+ return 0;
-+}
-
- /*
-- * Initiate the EAP-MD5 session by sending a challenge to the peer.
-- * Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set
-- * and with no data
-+ * This function is called when the first EAP_IDENTITY_RESPONSE message
-+ * was received.
-+ *
-+ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE
-+ * to the peer. The packet has the Start-Bit set and contains no data.
-+ *
-+ * 0 1 2 3
-+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Code | Identifier | Length |
-+ * | | | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Type | Flags | Ver |
-+ * | |0 0 1 0 0|0 0 1|
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ *
-+ * For this package, only 'Identifier' has to be set dynamically. Any
-+ * other information is static.
- */
- static int tnc_initiate(void *type_data, EAP_HANDLER *handler)
- {
-- uint8_t flags_ver = 1; //set version to 1
-- rlm_eap_tnc_t *inst = type_data;
-- TNC_PACKET *reply;
-+ size_t buflen = 71;
-+ size_t ret = 0;
-+ char buf[buflen];
-+ REQUEST * request = NULL;
-+ TNC_Result result;
-+ TNC_ConnectionID conID;
-+ TNC_BufferReference username;
-
-+ // check if we run inside a secure EAP method.
-+ // FIXME check concrete outer EAP method
- if (!handler->request || !handler->request->parent) {
-- DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method.");
-+ DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method.");
-+ request = handler->request;
- return 0;
-+ } else {
-+ request = handler->request->parent;
- }
-
-- /*
-- * FIXME: Update this when the TTLS and PEAP methods can
-- * run EAP-TLC *after* the user has been authenticated.
-- * This likely means moving the phase2 handlers to a
-- * common code base.
-- */
-- if (1) {
-- DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated.");
-+ if (request->packet == NULL) {
-+ DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL.");
- return 0;
- }
-
- DEBUG("tnc_initiate: %ld", handler->timestamp);
-
-- if(connectToTncs(inst->tnc_path)==-1){
-- DEBUG("Could not connect to TNCS");
-+ //calculate connectionString
-+ ret = calculateConnectionString(request->packet, buf, buflen);
-+ if(ret == 0){
-+ radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed.");
-+ return 0;
- }
-
-+ DEBUG2("TNC-INITIATE getting connection from NAA-EAP");
-+
- /*
-- * Allocate an EAP-MD5 packet.
-+ * get connection
-+ * (uses a function from the NAA-EAP-library)
-+ * the presence of the library is checked via the configure-script
- */
-- reply = eaptnc_alloc();
-- if (reply == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-+ result = getConnection(buf, &conID);
-+
-+ // check for errors
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection");
- return 0;
- }
-
- /*
-- * Fill it with data.
-+ * tries to get the username from FreeRADIUS;
-+ * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c
- */
-- reply->code = PW_TNC_REQUEST;
-- flags_ver = SET_START(flags_ver); //set start-flag
-- DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver);
-- reply->flags_ver = flags_ver;
-- reply->length = 1+1; /* one byte of flags_ver */
-+ VALUE_PAIR *usernameValuePair;
-+ usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME);
-
-+ VALUE_PAIR *eapMessageValuePair;
-+ if (!usernameValuePair) {
-+ eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE);
-+
-+ if (eapMessageValuePair &&
-+ (eapMessageValuePair->length >= EAP_HEADER_LEN + 2) &&
-+ (eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) &&
-+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
-+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
-+
-+ /*
-+ * Create & remember a User-Name
-+ */
-+ usernameValuePair = pairmake("User-Name", "", T_OP_EQ);
-+ rad_assert(usernameValuePair != NULL);
-+
-+ memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5,
-+ eapMessageValuePair->length - 5);
-+ usernameValuePair->length = eapMessageValuePair->length - 5;
-+ usernameValuePair->vp_strvalue[usernameValuePair->length] = 0;
-+ }
-+ }
-+
-+ username = malloc(usernameValuePair->length + 1);
-+ memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length);
-+ username[usernameValuePair->length] = '\0';
-+
-+ RDEBUG("Username for current TNC connection: %s", username);
-+
-+ /*
-+ * stores the username of this connection
-+ * (uses a function from the NAA-EAP-library)
-+ * the presence of the library is checked via the configure-script
-+ */
-+ result = storeUsername(conID, username, usernameValuePair->length);
-+
-+ // check for errors
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername");
-+ return 0;
-+ }
-+
-+ // set connection ID in FreeRADIUS
-+ handler->opaque = malloc(sizeof(TNC_ConnectionID));
-+ memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID));
-+
-+ // build first EAP TNC request
-+ TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char));
-+ if (eap_tnc_request == NULL) {
-+ radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed.");
-+ return 0;
-+ }
-+ *eap_tnc_request = SET_START(1);
-+ TNC_UInt32 eap_tnc_length = 1;
-+ type_data = type_data; /* suppress -Wunused */
-
- /*
- * Compose the EAP-TNC packet out of the data structure,
- * and free it.
- */
-- eaptnc_compose(handler->eap_ds, reply);
-- eaptnc_free(&reply);
-+ eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST);
-
-- //put sessionAttribute to Handler and increase sessionCounter
-- handler->opaque = calloc(sizeof(TNC_ConnectionID), 1);
-- if (handler->opaque == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- return 0;
-- }
-- handler->free_opaque = free;
-- memcpy(handler->opaque, &sessionCounter, sizeof(int));
-- sessionCounter++;
--
- /*
- * We don't need to authorize the user at this point.
- *
-@@ -124,246 +290,114 @@
- * to us...
- */
- handler->stage = AUTHENTICATE;
--
-- return 1;
--}
-
--static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler,
-- VlanAccessMode mode){
-- VALUE_PAIR *vp;
-- char *vlanNumber = NULL;
-- switch(mode){
-- case VLAN_ISOLATE:
-- vlanNumber = inst->vlan_isolate;
-- vp = pairfind(handler->request->config_items,
-- PW_TNC_VLAN_ISOLATE);
-- if (vp) vlanNumber = vp->vp_strvalue;
-- break;
-- case VLAN_ACCESS:
-- vlanNumber = inst->vlan_access;
-- vp = pairfind(handler->request->config_items,
-- PW_TNC_VLAN_ACCESS);
-- if (vp) vlanNumber = vp->vp_strvalue;
-- break;
--
-- default:
-- DEBUG2(" rlm_eap_tnc: Internal error. Not setting vlan number");
-- return;
-- }
-- pairadd(&handler->request->reply->vps,
-- pairmake("Tunnel-Type", "VLAN", T_OP_SET));
--
-- pairadd(&handler->request->reply->vps,
-- pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET));
--
-- pairadd(&handler->request->reply->vps,
-- pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET));
--
-+ return 1;
- }
-
--/*
-- * Authenticate a previously sent challenge.
-+/**
-+ * This function is called when a EAP_TNC_RESPONSE was received.
-+ * It basically forwards the EAP_TNC data to NAA-TNCS and forms
-+ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID
-+ * based on the TNC_ConnectionState determined by NAA-TNCS.
-+ *
-+ * @param type_arg The configuration data
-+ * @param handler The EAP_HANDLER
-+ * @return True, if successfully, else false.
- */
--static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler)
--{
-- TNC_PACKET *packet;
-- TNC_PACKET *reply;
-- TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque));
-- TNC_ConnectionState state;
-- rlm_eap_tnc_t *inst = type_arg;
-- int isAcknowledgement = 0;
-- TNC_UInt32 tnccsMsgLength = 0;
-- int isLengthIncluded;
-- int moreFragments;
-- TNC_UInt32 overallLength;
-- TNC_BufferReference outMessage;
-- TNC_UInt32 outMessageLength = 2;
-- int outIsLengthIncluded=0;
-- int outMoreFragments=0;
-- TNC_UInt32 outOverallLength=0;
-+static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) {
-
-- DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque)));
-- DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId);
-+ rad_assert(handler->request != NULL); // check that request has been sent previously
-+ rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called
-
-- /*
-- * Get the User-Password for this user.
-- */
-- rad_assert(handler->request != NULL);
-- rad_assert(handler->stage == AUTHENTICATE);
--
-- /*
-- * Extract the EAP-TNC packet.
-- */
-- if (!(packet = eaptnc_extract(handler->eap_ds)))
-+ if (handler == NULL) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL");
- return 0;
-+ }
-+ if (handler->eap_ds == NULL) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL");
-+ return 0;
-+ }
-+ if (handler->eap_ds->response == NULL) {
-+ radlog(
-+ L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL");
-+ return 0;
-+ }
-+ if (handler->eap_ds->response->type.type != PW_EAP_TNC
-+ || handler->eap_ds->response->type.length < 1
-+ || handler->eap_ds->response->type.data == NULL) {
-+ radlog(
-+ L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p",
-+ handler->eap_ds->response->type.type,
-+ handler->eap_ds->response->type.length,
-+ handler->eap_ds->response->type.data);
-+ return 0;
-+ }
-
-- /*
-- * Create a reply, and initialize it.
-- */
-- reply = eaptnc_alloc();
-- if (!reply) {
-- eaptnc_free(&packet);
-- return 0;
-- }
--
-- reply->id = handler->eap_ds->request->id;
-- reply->length = 0;
-- if(packet->data_length==0){
-- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- }else{
-- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH;
-- }
-- isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver);
-- moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver);
-- overallLength = packet->data_length;
-- if(isLengthIncluded == 0
-- && moreFragments == 0
-- && overallLength == 0
-- && tnccsMsgLength == 0
-- && TNC_START(packet->flags_ver)==0){
--
-- isAcknowledgement = 1;
-- }
--
-- DEBUG("Data received: (%d)", (int) tnccsMsgLength);
--/* int i;
-- for(i=0;i<tnccsMsgLength;i++){
-- DEBUG2("%c", (packet->data)[i]);
-- }
-- DEBUG2("\n");
-- */
-- state = exchangeTNCCSMessages(inst->tnc_path,
-- connId,
-- isAcknowledgement,
-- packet->data,
-- tnccsMsgLength,
-- isLengthIncluded,
-- moreFragments,
-- overallLength,
-- &outMessage,
-- &outMessageLength,
-- &outIsLengthIncluded,
-- &outMoreFragments,
-- &outOverallLength);
-- DEBUG("GOT State %08x from TNCS", (unsigned int) state);
-- if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement
-- reply->code = PW_TNC_REQUEST;
-- reply->data = NULL;
-- reply->data_length = 0;
-- reply->flags_ver = 1;
-- reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- }else{ //send back normal message
-- DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength);
--
-- /* for(i=0;i<outMessageLength;i++){
-- DEBUG2("%c", outMessage[i]);
-- }
-- DEBUG2("\n");
-- */
-- DEBUG("outIsLengthIncluded: %d, outMoreFragments: %d, outOverallLength: %d",
-- outIsLengthIncluded, outMoreFragments, (int) outOverallLength);
-- DEBUG("NEW STATE: %08x", (unsigned int) state);
-- switch(state){
-- case TNC_CONNECTION_STATE_HANDSHAKE:
-- reply->code = PW_TNC_REQUEST;
-- DEBUG2("Set Reply->Code to EAP-REQUEST\n");
-- break;
-- case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
-- reply->code = PW_TNC_SUCCESS;
-- setVlanAttribute(inst, handler,VLAN_ACCESS);
-- break;
-- case TNC_CONNECTION_STATE_ACCESS_NONE:
-- reply->code = PW_TNC_FAILURE;
-- //setVlanAttribute(inst, handler, VLAN_ISOLATE);
-- break;
-- case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
-- reply->code = PW_TNC_SUCCESS;
-- setVlanAttribute(inst, handler, VLAN_ISOLATE);
-- break;
-- default:
-- reply->code= PW_TNC_FAILURE;
--
-- }
-- if(outMessage!=NULL && outMessageLength!=0){
-- reply->data = outMessage;
-- }
-- reply->flags_ver = 1;
-- if(outIsLengthIncluded){
-- reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver);
-- reply->data_length = outOverallLength;
-- reply->length = TNC_PACKET_LENGTH + outMessageLength;
-- DEBUG("SET LENGTH: %d", reply->length);
-- DEBUG("SET DATALENGTH: %d", (int) outOverallLength);
-- }else{
-- reply->data_length = 0;
-- reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength;
-- DEBUG("SET LENGTH: %d", reply->length);
-- }
-- if(outMoreFragments){
-- reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver);
-- }
-- }
--
-- /*
-- * Compose the EAP-MD5 packet out of the data structure,
-- * and free it.
-- */
-- eaptnc_compose(handler->eap_ds, reply);
-- eaptnc_free(&reply);
--
-- handler->stage = AUTHENTICATE;
--
-- eaptnc_free(&packet);
-- return 1;
--}
--
--/*
-- * Detach the EAP-TNC module.
-- */
--static int tnc_detach(void *arg)
--{
-- free(arg);
-- return 0;
--}
--
--
--static CONF_PARSER module_config[] = {
-- { "vlan_access", PW_TYPE_STRING_PTR,
-- offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL },
-- { "vlan_isolate", PW_TYPE_STRING_PTR,
-- offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL },
-- { "tnc_path", PW_TYPE_STRING_PTR,
-- offsetof(rlm_eap_tnc_t, tnc_path), NULL,
-- "/usr/local/lib/libTNCS.so"},
-+ // get connection ID
-+ TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque));
-
-- { NULL, -1, 0, NULL, NULL } /* end the list */
--};
-+ DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID);
-
--/*
-- * Attach the EAP-TNC module.
-- */
--static int tnc_attach(CONF_SECTION *cs, void **instance)
--{
-- rlm_eap_tnc_t *inst;
-+ // pass EAP_TNC data to NAA-EAP and get answer data
-+ TNC_BufferReference output = NULL;
-+ TNC_UInt32 outputLength = 0;
-+ TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE;
-
-- inst = malloc(sizeof(*inst));
-- if (!inst) return -1;
-- memset(inst, 0, sizeof(*inst));
-+ /*
-+ * forwards the eap_tnc data to NAA-EAP and gets the response
-+ * (uses a function from the NAA-EAP-library)
-+ * the presence of the library is checked via the configure-script
-+ */
-+ TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data,
-+ handler->eap_ds->response->type.length, &output, &outputLength,
-+ &connectionState);
-+
-+ // check for errors
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData");
-+ return 0;
-+ }
-
-- if (cf_section_parse(cs, inst, module_config) < 0) {
-- tnc_detach(inst);
-- return -1;
-+ // output contains now the answer from NAA-EAP
-+ uint8_t eapCode = 0;
-+ // determine eapCode for request
-+ switch (connectionState) {
-+ case TNC_CONNECTION_STATE_HANDSHAKE:
-+ eapCode = PW_EAP_REQUEST;
-+ break;
-+ case TNC_CONNECTION_STATE_ACCESS_NONE:
-+ eapCode = PW_EAP_FAILURE;
-+ break;
-+ case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
-+ eapCode = PW_EAP_SUCCESS;
-+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET));
-+ break;
-+ case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
-+ eapCode = PW_EAP_SUCCESS;
-+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET));
-+ break;
-+ default:
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE.");
-+ return 0;
- }
-
--
-- if (!inst->vlan_access || !inst->vlan_isolate) {
-- radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate");
-- tnc_detach(inst);
-- return -1;
-+ // form EAP_REQUEST
-+ if (!eaptnc_compose(handler, output, outputLength, eapCode)) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST.");
-+ return 0;
- }
-
-- *instance = inst;
-- return 0;
-+ // FIXME: Why is that needed?
-+ handler->stage = AUTHENTICATE;
-+
-+ return 1;
- }
-
- /*
-@@ -371,10 +405,10 @@
- * That is, everything else should be 'static'.
- */
- EAP_TYPE rlm_eap_tnc = {
-- "eap_tnc",
-- tnc_attach, /* attach */
-- tnc_initiate, /* Start the initial request */
-- NULL, /* authorization */
-- tnc_authenticate, /* authentication */
-- tnc_detach /* detach */
-+ "eap_tnc",
-+ tnc_attach, /* attach */
-+ tnc_initiate, /* Start the initial request */
-+ NULL, /* authorization */
-+ tnc_authenticate, /* authentication */
-+ tnc_detach /* detach */
- };
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 1970-01-01 01:00:00.000000000 +0100
-@@ -1,146 +0,0 @@
--/*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- * Portions of this code unrelated to FreeRADIUS are available
-- * separately under a commercial license. If you require an
-- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 6077f6d2bdc2ebdea6575678e80e255f57215900 $")
--
--#include "tncs_connect.h"
--#include <ltdl.h>
--#include <stdlib.h>
--#include <stdio.h>
--#include <eap.h>
--
-- /*
-- * FIXME: This linking should really be done at compile time.
-- */
--static lt_dlhandle handle = NULL;
--
--static ExchangeTNCCSMessagePointer callTNCS = NULL;
--
--/*
-- * returns the function-pointer to a function of a shared-object
-- *
-- * soHandle: handle to a shared-object
-- * name: name of the requested function
-- *
-- * return: the procAddress if found, else NULL
-- */
--static void *getProcAddress(lt_dlhandle soHandle, const char *name){
-- void *proc = lt_dlsym(soHandle, name);
-- DEBUG("Searching for function %s", name);
-- if(proc == NULL){
-- DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s",
-- name, lt_dlerror());
-- }
-- return proc;
--}
--
--
--/*
-- * establishs the connection to the TNCCS without calling functionality.
-- * That means that the TNCS-shared-object is loaded and the function-pointer
-- * to "exchangeTNCCSMessages" is explored.
-- *
-- * return: -1 if connect failed, 0 if connect was successful
-- */
--int connectToTncs(char *pathToSO){
-- int state = -1;
-- if(handle==NULL){
-- handle = lt_dlopen(pathToSO);
-- DEBUG("OPENED HANDLE!");
-- }
--
-- if(handle==NULL){
-- DEBUG("HANDLE IS NULL");
-- DEBUG("rlm_eap_tnc: Failed to link to library %s: %s",
-- pathToSO, lt_dlerror());
-- }else{
-- DEBUG("SO %s found!", pathToSO);
-- if(callTNCS==NULL){
-- callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages");
-- }
-- if(callTNCS!=NULL){
-- DEBUG("TNCS is connected");
-- state = 0;
--// int ret = callTNCS2(2, "Bla", NULL);
-- // DEBUG("GOT %d from exchangeTNCCSMessages", ret);
-- }else{
-- DEBUG("Could not find exchangeTNCCSMessages");
-- }
--
-- }
-- return state;
--}
--
--/*
-- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
-- * -pathToSO: Path to TNCCS-Shared Object
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- *
-- * return: state of connection as result of the exchange
-- */
--TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
-- /*in*/ TNC_ConnectionID connId,
-- /*in*/ int isAcknoledgement,
-- /*in*/ TNC_BufferReference input,
-- /*in*/ TNC_UInt32 inputLength,
-- /*in*/ int isFirst,
-- /*in*/ int moreFragments,
-- /*in*/ TNC_UInt32 overallLength,
-- /*out*/ TNC_BufferReference *output,
-- /*out*/ TNC_UInt32 *outputLength,
-- /*out*/ int *answerIsFirst,
-- /*out*/ int *moreFragmentsFollow,
-- /*out*/ TNC_UInt32 *overallLengthOut){
-- TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
-- int connectStatus = connectToTncs(pathToSO);
-- if(connectStatus!=-1){
-- state = callTNCS(connId,
-- isAcknoledgement,
-- input,
-- inputLength,
-- isFirst,
-- moreFragments,
-- overallLength,
-- output,
-- outputLength,
-- answerIsFirst,
-- moreFragmentsFollow,
-- overallLengthOut);
-- DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state);
-- }else{
-- DEBUG("CAN NOT CONNECT TO TNCS");
-- }
-- return state;
--}
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,70 +0,0 @@
--/*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- * Portions of this code unrelated to FreeRADIUS are available
-- * separately under a commercial license. If you require an
-- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--
--#ifndef _TNCS_CONNECT_H_
--#define _TNCS_CONNECT_H_
--
--#include "tncs.h"
--
--/*
-- * establishs the connection to the TNCCS without calling functionality.
-- * That means that the TNCS-shared-object is loaded and the function-pointer
-- * to "exchangeTNCCSMessages" is explored.
-- *
-- * return: -1 if connect failed, 0 if connect was successful
-- */
--int connectToTncs(char *pathToSO);
--/*
-- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
-- * -pathToSO: Path to TNCCS-Shared Object
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- *
-- * return: state of connection as result of the exchange
-- */
--TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
-- /*in*/ TNC_ConnectionID connId,
-- /*in*/ int isAcknoledgement,
-- /*in*/ TNC_BufferReference input,
-- /*in*/ TNC_UInt32 inputLength,
-- /*in*/ int isFirst,
-- /*in*/ int moreFragments,
-- /*in*/ TNC_UInt32 overallLength,
-- /*out*/ TNC_BufferReference *output,
-- /*out*/ TNC_UInt32 *outputLength,
-- /*out*/ int *answerIsFirst,
-- /*out*/ int *moreFragmentsFollow,
-- /*out*/ TNC_UInt32 *overallLengthOut);
--
--#endif //_TNCS_CONNECT_H_
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,86 +0,0 @@
--/*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- * Portions of this code unrelated to FreeRADIUS are available
-- * separately under a commercial license. If you require an
-- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--
--#ifndef _TNCS_H_
--#define _TNCS_H_
--
--
--
--#ifdef __cplusplus
--extern "C" {
--#endif
--
--/*
-- * copied from tncimv.h:
-- */
--typedef unsigned long TNC_UInt32;
--typedef TNC_UInt32 TNC_ConnectionState;
--typedef unsigned char *TNC_BufferReference;
--typedef TNC_UInt32 TNC_ConnectionID;
--
--#define TNC_CONNECTION_STATE_CREATE 0
--#define TNC_CONNECTION_STATE_HANDSHAKE 1
--#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
--#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
--#define TNC_CONNECTION_STATE_ACCESS_NONE 4
--#define TNC_CONNECTION_STATE_DELETE 5
--#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6
--
--/*
-- * Accesspoint (as function-pointer) to the TNCS for sending and receiving
-- * TNCCS-Messages.
-- *
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- *
-- * return: state of connection as result of the exchange
-- */
--typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId,
-- /*in*/ int isAcknoledgement,
-- /*in*/ TNC_BufferReference input,
-- /*in*/ TNC_UInt32 inputLength,
-- /*in*/ int isFirst,
-- /*in*/ int moreFragments,
-- /*in*/ TNC_UInt32 overallLength,
-- /*out*/ TNC_BufferReference *output,
-- /*out*/ TNC_UInt32 *outputLength,
-- /*out*/ int *answerIsFirst,
-- /*out*/ int *moreFragmentsFollow,
-- /*out*/ TNC_UInt32 *overallLengthOut
--);
--
--#ifdef __cplusplus
--}
--#endif
--#endif //_TNCS_H_
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-12-04 19:39:54.749423138 +0100
-@@ -37,6 +37,10 @@
- int copy_request_to_tunnel;
- int use_tunneled_reply;
- const char *virtual_server;
-+ const char *tnc_virtual_server; // virtual server for EAP-TNC as the second inner method
-+ VALUE_PAIR *auth_reply; // cache storage of the last reply of the first inner method
-+ int auth_code; // cache storage of the reply-code of the first inner method
-+ int doing_tnc; // status if we're doing EAP-TNC
- } ttls_tunnel_t;
-
- /*
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-12-04 19:39:54.749423138 +0100
-@@ -62,6 +62,11 @@
- * Virtual server for inner tunnel session.
- */
- char *virtual_server;
-+
-+ /*
-+ * Virtual server for the second inner tunnel method, which is EAP-TNC.
-+ */
-+ char *tnc_virtual_server;
- } rlm_eap_ttls_t;
-
-
-@@ -78,6 +83,9 @@
- { "virtual_server", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
-
-+ { "tnc_virtual_server", PW_TYPE_STRING_PTR,
-+ offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL },
-+
- { "include_length", PW_TYPE_BOOLEAN,
- offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
-
-@@ -171,6 +179,10 @@
- t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
- t->use_tunneled_reply = inst->use_tunneled_reply;
- t->virtual_server = inst->virtual_server;
-+ t->tnc_virtual_server = inst->tnc_virtual_server; // virtual server for EAP-TNC as the second inner method
-+ t->auth_reply = NULL; // cache storage of the last reply of the first inner method
-+ t->auth_code = -1; // cache storage of the reply-code of the first inner method
-+ t->doing_tnc = 0; // status if we're doing EAP-TNC (on start we're doing NOT)
- return t;
- }
-
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-12-04 19:39:54.749423138 +0100
-@@ -585,6 +585,94 @@
- }
-
- /*
-+ * Start EAP-TNC as a second inner method.
-+ * Creates a new fake-request out of the original incoming request (via EAP_HANDLER).
-+ * If it's the first time, we create a EAP-START-packet and send
-+ * EAP-START := code = PW_EAP_REQUEST
-+ *
-+ */
-+static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) {
-+ REQUEST* request = handler->request;
-+ RDEBUG2("EAP-TNC as second inner authentication method starts now");
-+
-+ /*
-+ * Allocate a fake REQUEST struct,
-+ * to make a new request, based on the original request.
-+ */
-+ REQUEST* fake = request_alloc_fake(request);
-+
-+ /*
-+ * Set the virtual server to that of EAP-TNC.
-+ */
-+ fake->server = t->tnc_virtual_server;
-+
-+ /*
-+ * Build a new EAP-Message.
-+ */
-+ VALUE_PAIR *eap_msg;
-+ eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
-+
-+ /*
-+ * Set the EAP-Message to look like EAP-Start
-+ */
-+ eap_msg->vp_octets[0] = PW_EAP_RESPONSE;
-+ eap_msg->vp_octets[1] = 0x00;
-+
-+ /*
-+ * Only setting EAP-TNC here,
-+ * because it is intended to do user-authentication in the first inner method,
-+ * and then a hardware-authentication (like EAP-TNC) as the second method.
-+ */
-+ eap_msg->vp_octets[4] = PW_EAP_TNC;
-+
-+ eap_msg->length = 0;
-+
-+ /*
-+ * Add the EAP-Message to the request.
-+ */
-+ pairadd(&(fake->packet->vps), eap_msg);
-+
-+ /*
-+ * Process the new request by the virtual server configured for
-+ * EAP-TNC.
-+ */
-+ rad_authenticate(fake);
-+
-+ /*
-+ * From now on we're doing EAP-TNC as the second inner authentication method.
-+ */
-+ t->doing_tnc = TRUE;
-+
-+ return fake;
-+}
-+
-+/*
-+ * Stop EAP-TNC as a second inner method.
-+ * Copy the value pairs from the cached Access-Accept of the first inner method
-+ * to the Access-Accept/Reject package of EAP-TNC.
-+ */
-+static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) {
-+ RDEBUG2("EAP-TNC as second inner authentication method stops now");
-+
-+ /*
-+ * Copy the value-pairs of the origina Access-Accept of the first
-+ * inner authentication method to the Access-Accept/Reject of the
-+ * second inner authentication method (EAP-TNC).
-+ */
-+ if (request->reply->code == PW_AUTHENTICATION_ACK) {
-+ pairadd(&(request->reply->vps), t->auth_reply);
-+ } else if (request->reply->code == PW_AUTHENTICATION_REJECT) {
-+ pairadd(&(request->reply->vps), t->auth_reply);
-+ }
-+
-+ pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR);
-+ pairdelete(&(request->reply->vps), PW_PROXY_STATE);
-+ pairdelete(&(request->reply->vps), PW_USER_NAME);
-+
-+ return request;
-+}
-+
-+/*
- * Use a reply packet to determine what to do.
- */
- static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
-@@ -1135,6 +1223,16 @@
-
- } /* else fake->server == request->server */
-
-+ /*
-+ * If we're doing EAP-TNC as a second method,
-+ * then set the server to that one.
-+ * Then, rad_authenticate will run EAP-TNC,
-+ * so that afterwards we have to look for the state of
-+ * EAP-TNC.
-+ */
-+ if (t->doing_tnc) {
-+ fake->server = t->tnc_virtual_server;
-+ }
-
- if ((debug_flag > 0) && fr_log_fp) {
- RDEBUG("Sending tunneled request");
-@@ -1248,6 +1346,53 @@
-
- default:
- /*
-+ * If the result of the first method was an acknowledgment OR
-+ * if were already running EAP-TNC,
-+ * we're doing additional things before processing the reply.
-+ * Also the configuration for EAP-TTLS has to contain a virtual server
-+ * for EAP-TNC as the second method.
-+ */
-+ if (t->tnc_virtual_server) {
-+ /*
-+ * If the reply code of the first inner method is PW_AUTHENTICATION_ACK
-+ * which means that the method was successful,
-+ * and we're not doing EAP-TNC as the second method,
-+ * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method.
-+ */
-+ if (fake->reply->code == PW_AUTHENTICATION_ACK
-+ && t->doing_tnc == FALSE) {
-+ RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code);
-+
-+ /*
-+ * Save reply-value pairs and reply-code of the first method.
-+ */
-+ t->auth_reply = fake->reply->vps;
-+ fake->reply->vps = NULL;
-+ t->auth_code = fake->reply->code;
-+
-+ /*
-+ * Create the start package for EAP-TNC.
-+ */
-+ fake = start_tnc(handler, t);
-+
-+ /*
-+ * If we're doing EAP-TNC as the second inner method,
-+ * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT,
-+ * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject.
-+ */
-+ } else if (t->doing_tnc == TRUE
-+ && (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) {
-+
-+ /*
-+ * Create the combined Access-Accept or -Reject.
-+ */
-+ RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code,
-+ fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT");
-+ fake = stop_tnc(fake, t);
-+ }
-+ }
-+
-+ /*
- * Returns RLM_MODULE_FOO, and we want to return
- * PW_FOO
- */
diff --git a/testing/scripts/recipes/patches/hostapd-config b/testing/scripts/recipes/patches/hostapd-config
deleted file mode 100644
index b26d2783f..000000000
--- a/testing/scripts/recipes/patches/hostapd-config
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -u -ur hostapd-2.0.orig/hostapd/defconfig hostapd-2.0/hostapd/defconfig
---- hostapd-2.0.orig/hostapd/defconfig 2013-01-12 16:42:53.000000000 +0100
-+++ hostapd-2.0/hostapd/defconfig 2016-06-15 17:32:57.000000000 +0200
-@@ -13,14 +13,14 @@
- CONFIG_DRIVER_HOSTAP=y
-
- # Driver interface for wired authenticator
--#CONFIG_DRIVER_WIRED=y
-+CONFIG_DRIVER_WIRED=y
-
- # Driver interface for madwifi driver
- #CONFIG_DRIVER_MADWIFI=y
- #CFLAGS += -I../../madwifi # change to the madwifi source directory
-
- # Driver interface for drivers using the nl80211 kernel interface
--CONFIG_DRIVER_NL80211=y
-+#CONFIG_DRIVER_NL80211=y
-
- # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
- #CONFIG_DRIVER_BSD=y
-@@ -30,7 +30,7 @@
- #LIBS_c += -L/usr/local/lib
-
- # Driver interface for no driver (e.g., RADIUS server only)
--#CONFIG_DRIVER_NONE=y
-+CONFIG_DRIVER_NONE=y
-
- # IEEE 802.11F/IAPP
- CONFIG_IAPP=y
-@@ -152,7 +152,7 @@
-
- # Add support for writing debug log to a file: -f /tmp/hostapd.log
- # Disabled by default.
--#CONFIG_DEBUG_FILE=y
-+CONFIG_DEBUG_FILE=y
-
- # Remove support for RADIUS accounting
- #CONFIG_NO_ACCOUNTING=y \ No newline at end of file
diff --git a/testing/scripts/recipes/patches/tnc-fhh-tncsim b/testing/scripts/recipes/patches/tnc-fhh-tncsim
deleted file mode 100644
index 42c714480..000000000
--- a/testing/scripts/recipes/patches/tnc-fhh-tncsim
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fe65134512ea..3c5255f21ea6 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -101,7 +101,6 @@ IF(${COMPONENT} STREQUAL "ALL")
- add_subdirectory(tncxacml)
- add_subdirectory(imcv)
- add_subdirectory(tncs)
-- add_subdirectory(tncsim)
-
- IF(${NAL} STREQUAL "8021X" OR ${NAL} STREQUAL "ALL")
- add_subdirectory(naaeap)
diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
deleted file mode 100644
index 2e00e5b44..000000000
--- a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
+++ /dev/null
@@ -1,47 +0,0 @@
-diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c
---- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c 2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/src/eap_peer/tncc.c 2013-03-23 13:10:22.151059154 +0100
-@@ -465,7 +465,7 @@
- return -1;
- }
- #else /* CONFIG_NATIVE_WINDOWS */
-- imc->dlhandle = dlopen(imc->path, RTLD_LAZY);
-+ imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL);
- if (imc->dlhandle == NULL) {
- wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s",
- imc->name, imc->path, dlerror());
-diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig
---- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig 2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/wpa_supplicant/defconfig 2013-03-23 13:06:08.759052370 +0100
-@@ -86,7 +86,7 @@
- CONFIG_DRIVER_WEXT=y
-
- # Driver interface for Linux drivers using the nl80211 kernel interface
--CONFIG_DRIVER_NL80211=y
-+#CONFIG_DRIVER_NL80211=y
-
- # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
- #CONFIG_DRIVER_BSD=y
-@@ -193,7 +193,7 @@
- #CONFIG_EAP_GPSK_SHA256=y
-
- # EAP-TNC and related Trusted Network Connect support (experimental)
--#CONFIG_EAP_TNC=y
-+CONFIG_EAP_TNC=y
-
- # Wi-Fi Protected Setup (WPS)
- #CONFIG_WPS=y
-diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile
---- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile 2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/wpa_supplicant/Makefile 2013-03-23 13:06:08.759052370 +0100
-@@ -6,8 +6,8 @@
- CFLAGS = -MMD -O2 -Wall -g
- endif
-
--export LIBDIR ?= /usr/local/lib/
--export BINDIR ?= /usr/local/sbin/
-+export LIBDIR ?= /usr/lib/
-+export BINDIR ?= /usr/sbin/
- PKG_CONFIG ?= pkg-config
-
- CFLAGS += -I../src
diff --git a/testing/testing.conf b/testing/testing.conf
index 92b9693c1..7d8480c1f 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,18 +24,14 @@ fi
: ${TESTDIR=/srv/strongswan-testing}
# Kernel configuration
-<<<<<<< Updated upstream
-: ${KERNELVERSION=4.18.9}
-=======
-: ${KERNELVERSION=4.15.9}
->>>>>>> Stashed changes
+: ${KERNELVERSION=4.20}
: ${KERNEL=linux-$KERNELVERSION}
: ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-4.15}
-: ${KERNELPATCH=ha-4.15.6-abicompat.patch.bz2}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-4.19}
+: ${KERNELPATCH=ha-4.16-abicompat.patch.bz2}
# strongSwan version used in tests
-: ${SWANVERSION=5.7.0}
+: ${SWANVERSION=5.7.2}
# Build directory where the guest kernel and images will be built
: ${BUILDDIR=$TESTDIR/build}
@@ -52,8 +48,8 @@ fi
# Base image settings
# The base image is a pristine OS installation created using debootstrap.
-: ${BASEIMGSIZE=1600}
-: ${BASEIMGSUITE=jessie}
+: ${BASEIMGSIZE=1800}
+: ${BASEIMGSUITE=stretch}
: ${BASEIMGARCH=amd64}
: ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
: ${BASEIMGMIRROR=http://http.debian.net/debian}
diff --git a/testing/tests/botan/net2net-ed25519/description.txt b/testing/tests/botan/net2net-ed25519/description.txt
new file mode 100755
index 000000000..8c67989f4
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
+<b>moon</b> uses the botan plugin based on the Botan library for all
+cryptographical functions whereas <b>sun</b> uses the default strongSwan
+cryptographical plugins.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-ed25519/evaltest.dat b/testing/tests/botan/net2net-ed25519/evaltest.dat
new file mode 100755
index 000000000..ebbb8ae75
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..508c30a00
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random pem x509 revocation constraints pubkey botan
+}
+
+charon-systemd {
+ load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
new file mode 100644
index 000000000..491d36430
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk
+-----END PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bcc2742f7
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 000000000..e67b224b6
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww
+BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX
+8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..9c5a06945
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..a35aea01c
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
new file mode 100644
index 000000000..b83f62c13
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0
+-----END PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..12cee0fc6
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 000000000..70af02017
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn
+HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW
+gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh
+bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0
+cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG
+AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq
+8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..9c5a06945
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/posttest.dat b/testing/tests/botan/net2net-ed25519/posttest.dat
new file mode 100755
index 000000000..30f6ede76
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/posttest.dat
@@ -0,0 +1,7 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs8/*
+sun::rm /etc/swanctl/pkcs8/*
diff --git a/testing/tests/botan/net2net-ed25519/pretest.dat b/testing/tests/botan/net2net-ed25519/pretest.dat
new file mode 100755
index 000000000..410253e54
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/swanctl/rsa/moonKey.pem
+sun::rm /etc/swanctl/rsa/sunKey.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-ed25519/test.conf b/testing/tests/botan/net2net-ed25519/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/botan/net2net-pkcs12/description.txt b/testing/tests/botan/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..1d40e30f0
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-pkcs12/evaltest.dat b/testing/tests/botan/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..bfc7e76f1
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
index 365da741f..365da741f 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
Binary files differ
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-moon {
+ file = moonCert.p12
+ secret = "kUqd8O7mzbjXNJKQ"
+ }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
index e2cd2f21d..e2cd2f21d 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
Binary files differ
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-sun {
+ file = sunCert.p12
+ secret = "IxjQVCF3JGI+MoPi"
+ }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/posttest.dat b/testing/tests/botan/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..9802f442d
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/pretest.dat b/testing/tests/botan/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..22ffcf949
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/pretest.dat
@@ -0,0 +1,9 @@
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/botan/net2net-pkcs12/test.conf
index afa2accbe..87abc763b 100644
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/botan/net2net-pkcs12/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/description.txt b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt
new file mode 100755
index 000000000..2db82a941
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> with signatures consisting of
+<b>RSA-encrypted SHA-3 hashes</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat
new file mode 100755
index 000000000..4c56d5299
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..51a7747d7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem x509 revocation constraints pubkey botan random
+}
+
+charon-systemd {
+ load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
new file mode 100644
index 000000000..f24b3ebf3
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq
+pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV
+T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N
+Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt
+UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/
+XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY
+v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA
+G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp
+qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V
+/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK
+8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/
+8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc
+6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G
+NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE
+DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU
+z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD
+01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU
+bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId
+23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/
+Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p
+F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA
+29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/
+XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F
+/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX
+SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu
+8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq
+TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE
+miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ
+p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du
+ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli
+CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6
+dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH
+gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY
+3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc
+gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN
+vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV
+E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bcc2742f7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 000000000..bea7e81f8
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky
+MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6
+ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF
+kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9
+ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE
+6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS
+4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW
+GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA
+bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP
+tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u
+LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw
+N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz
+LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT
+UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo
+tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs
+jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl
+noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2
+pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc
+gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA
+5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79
+ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..29ad5b942
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..51a7747d7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem x509 revocation constraints pubkey botan random
+}
+
+charon-systemd {
+ load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
new file mode 100644
index 000000000..a694bbb8f
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K
+ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p
+DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu
+MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO
++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r
+ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H
+WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6
+Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/
+bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex
+ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/
+d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ
+e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI
+zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW
+63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc
+Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n
+vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz
+aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+
+slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20
+pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0
+ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie
+1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL
+c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH
+xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T
+X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K
+qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB
+VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88
+oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF
+dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov
+2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI
+pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN
+VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo
+qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx
+JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8
+ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw
+kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk
+nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq
+hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..12cee0fc6
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 000000000..f1c086ee9
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky
+MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y
+ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR
+2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/
+W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu
+pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA
+xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC
+ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G
+/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt
+WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5
+/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G
+A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z
+dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg
+NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y
+c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7
+nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0
+cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK
+F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8
+1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB
+hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS
+ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+
+jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw
+MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..29ad5b942
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat
new file mode 100755
index 000000000..755f0e5f8
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat
new file mode 100755
index 000000000..9440ddab0
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/test.conf b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..b2072d1f4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+} \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..07178dc5e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,56 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ suffix
+ files
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
index b4c7637ac..377aedf1b 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..27a42d00f
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,53 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ suffix
+ files
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+}
+
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
index b4c7637ac..377aedf1b 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt
index 6be21bf8f..876aa7980 100644
--- a/testing/tests/ikev2/host2host-cert/description.txt
+++ b/testing/tests/ikev2/host2host-cert/description.txt
@@ -1,4 +1,6 @@
A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
index 7e343efa5..dcf573b59 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
@@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
index 7e343efa5..dcf573b59 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..aa6f98076
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..2968646e5 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,13 +2,23 @@ authorize {
preprocess
chap
mschap
- sim_files
suffix
+ files
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
unix
- files
expiration
logintime
pap
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
deleted file mode 100644
index aaabab89e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..aa6f98076 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index 6a4da6631..4069be9ce 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index 9ffd27f1e..f3fdfe6ff 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,10 +1,6 @@
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt
index c74897d9a..9bef3cd18 100644
--- a/testing/tests/ikev2/nat-rw-psk/description.txt
+++ b/testing/tests/ikev2/nat-rw-psk/description.txt
@@ -1,6 +1,7 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt
index dcf4b94bd..58b28bad2 100644
--- a/testing/tests/ikev2/nat-rw/description.txt
+++ b/testing/tests/ikev2/nat-rw/description.txt
@@ -1,5 +1,7 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt
index 02cddbb83..07320d731 100644
--- a/testing/tests/ikev2/net2net-psk/description.txt
+++ b/testing/tests/ikev2/net2net-psk/description.txt
@@ -1,6 +1,7 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
index 6d886024b..893a27230 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
@@ -1,9 +1,11 @@
-at the outset the gateway authenticates itself to the client by sending an
-IKEv2 <b>RSA signature</b> accompanied by a certificate.
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
index 1277081b9..da5b72735 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
@@ -1,7 +1,8 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device. \ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..ba92f0080
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,4 @@
+carol Cleartext-Password := "Ar3etTnp"
+ Framed-IP-Address = 10.3.0.1
+dave Cleartext-Password := "W7R0g3do"
+ Framed-IP-Address = 10.3.0.2
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,4 @@
+carol Cleartext-Password := "Ar3etTnp"
+ Class = "Research"
+dave Cleartext-Password := "W7R0g3do"
+ Class = "Accounting"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
index 303139615..e63c57e72 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
index d376ee5a8..08fd89b65 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
@@ -1,7 +1,7 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with an <i>MD5</i> challenge and response protocol
-(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
-is kept in <b>ipsec.secrets</b> on both gateway and client
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
index 4feadff4c..95afc08b5 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
@@ -1,8 +1,10 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Microsoft CHAP version 2</i> protocol
-(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
-e.g. by the Windows 7 Agile VPN client.
-In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
-to authenticate itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..0ae8befe4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = peap
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ peap {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
index 0531a559f..41abb363c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
@@ -1,13 +1,13 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b> and
-the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
which also uses static triplets. In addition to her IKEv2 identity
<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
identity <b>228060123456001</b>.
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
index 893529324..1dc666992 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,5 +1,16 @@
authorize {
- sim_files
+ files
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
index e69de29bb..1c281a974 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 122ee2283..53aa83f0c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,8 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
index d50175664..26de3c982 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The gateway <b>moon</b> does not send an AUTH payload thus signalling
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
a mutual <b>EAP-only</b> authentication.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
index fbdf75f4c..8d68b81fc 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,6 +1,17 @@
authorize {
- sim_files
+ files
suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
index e69de29bb..a74267d30 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 9614686c2..04b824def 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -7,10 +7,9 @@ dave::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
index 6c3c71987..5cb1bacdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..51b64a74b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,19 @@ authorize {
preprocess
chap
mschap
- sim_files
+ files
suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
index e69de29bb..a74267d30 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index 52d5962f4..e171997bc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,13 +1,9 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
index 686241809..4401e679f 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
@@ -1,7 +1,8 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
-to authenticate against the gateway. In this scenario triplets from the file
-<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
-itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e8670dbb7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,16 @@
+eap {
+ default_eap_type = tls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ tls {
+ tls = tls-common
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..060702784
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,55 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index ef5666914..6907b7657 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -9,7 +9,3 @@ charon {
}
}
}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 576d2cb99..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index fa1febe0f..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ba52ec31e..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index d5631a9f5..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index fa1febe0f..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 738481257..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightsendcert=never
- right=%any
- auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 0ff7725ca..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
- multiple_authentication=no
-
- syslog {
- daemon {
- tls = 2
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
deleted file mode 100644
index dccf85419..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7450c71c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ ttls {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..dafe7f052
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,64 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+listen {
+ type = acct
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index 98f7a6954..66416eb28 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,6 +1,6 @@
carol::ipsec stop
moon::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 7ec7c1226..d3c345200 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
index 186ce4e06..c792f3a7e 100644
--- a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
index 186ce4e06..c792f3a7e 100644
--- a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
index 4cf23a31b..d2db56eb8 100644
--- a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
index 4cf23a31b..d2db56eb8 100644
--- a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 803cf5ef5..5fef8bbb1 100644
--- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 803cf5ef5..5fef8bbb1 100644
--- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
index 0e125b70e..c3bbe341f 100644
--- a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
index 0e125b70e..c3bbe341f 100644
--- a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
index f6dc9aa3e..5178076a3 100644
--- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
index f6dc9aa3e..5178076a3 100644
--- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
index 16982a736..52e4bf623 100644
--- a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
index 16982a736..52e4bf623 100644
--- a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
index 5ae9d2c12..7a6fc302e 100644
--- a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
@@ -4,6 +4,6 @@ moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
index 0dfba54ea..6e6de5e96 100644
--- a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
@@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
index ef6ec2b98..b7b92d020 100644
--- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
index 23add7ae5..f3068ce8b 100644
--- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
index 877459c88..bbf6c2ea3 100644
--- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
index a3e2bad94..97e0de01c 100644
--- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 591e2da59..f85d6127f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 2ee553a61..b776ea938 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
index 72dade743..21569bdaa 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat
index 1202a99d2..a199765a0 100644
--- a/testing/tests/ipv6/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat
index d5d5a6b1c..aa450e296 100644
--- a/testing/tests/ipv6/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
index 026235171..394521b25 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
index dd120f524..f4c8851c0 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
index e92aa028d..5009bf41f 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
@@ -1,6 +1,6 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
index ce79801ec..b748003e8 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
index 082416d60..9016ba473 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block c
moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat
index 736425d36..659ca42ab 100644
--- a/testing/tests/ipv6/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat
@@ -1,6 +1,6 @@
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat
index 48ddcd069..a754598f9 100644
--- a/testing/tests/ipv6/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat
@@ -1,6 +1,6 @@
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
index e9a30b9ac..cdb8ead3c 100644
--- a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
+++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES
+alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES
moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES
sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt
index b3515c333..4b8eeb87e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt
@@ -1,4 +1,3 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index 937860593..68edc54b7 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 4628311d4..000000000
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bdde28391
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 1
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index da1fbf06b..000000000
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..116e06c26
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 1
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index 046d4cfdc..2b00bea8e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index e34f70277..ae2c30429 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection net
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
fall back to ECP_384 and ECP_521, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 553c79451..2cc3382df 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -1,15 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2ed83f06a..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..3ed559068
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+ }
+ }
+ version = 1
+ proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 105ec3ce4..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b5a2be9e8
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+ }
+ }
+ version = 1
+ proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 0a312b394..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7c5b3080d
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+ }
+ }
+ version = 1
+ proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 84b6eb4bf..c365455d0 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 327d63bf8..183f5e97f 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -1,17 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 6fe17a9ee..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..013e6b1bc
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+ }
+ version = 1
+ proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ade897727..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4f5c016c2
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 3992b52fb..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..417ad0508
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
index 4f855eb1a..3bbcdfa32 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
@@ -1,11 +1,12 @@
The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+</p>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 9a8516dad..2127b2bf4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -1,11 +1,3 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES
@@ -14,6 +6,10 @@ carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECD
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 1527867c7..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
index c277ba4f6..c277ba4f6 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..abf46a755
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ ecdsa-carol {
+ file = carolKey.pem
+ secret = "nH5ZQEWtku0RJEZ6"
+ }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ed9410c04..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
index 40a76935e..40a76935e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..3981ac2ea
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-ecp384
+ }
+ }
+ version = 1
+ proposals = aes256-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 359029d02..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1ddf9621e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+ }
+ }
+ version = 1
+ proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 1865a1c60..3d10c0f1f 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/ecdsa/carolKey.pem
+dave::rm /etc/swanctl/ecdsa/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,11 +1,14 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
deleted file mode 100644
index cfa7a11b9..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
-<p/>
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
-(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
-respectively.
-<p/>
-Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
-(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
-respectively.
-<p/>
-A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
deleted file mode 100644
index 44bd75895..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
+++ /dev/null
@@ -1,26 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
-carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
-dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
-moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c0016ff61..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha512-modp2048!
- esp=aes256gcm128-modp2048!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4a7e09c6a..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 335eda02c..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-modp1536!
- esp=aes128gcm128-modp1536!
-
-conn home
- left=PH_IP_DAVE
- leftfirewall=yes
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 99069ae82..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 566298bed..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
- esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4a7e09c6a..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
deleted file mode 100644
index e87a8ee47..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
deleted file mode 100644
index d30d9d2da..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b>
-use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all
-cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
-encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
deleted file mode 100644
index a4f1f2998..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
-dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index adee238e6..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish256-sha512-modp2048!
- esp=blowfish192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index e22322431..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish128-sha256-modp1536!
- esp=blowfish128-sha256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 43bbb36a9..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
- esp=blowfish192-sha384,blowfish128-sha256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
deleted file mode 100644
index e87a8ee47..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt
index b3515c333..4b8eeb87e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt
@@ -1,4 +1,3 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index 937860593..8a2e36baa 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f0bbfc10f..000000000
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ebdb473fb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 2
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 8481f8974..000000000
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..90c566bb6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 2
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 046d4cfdc..2b00bea8e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index e34f70277..ae2c30429 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection net
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
index d0ae5a823..e37d5489c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_256_BP and ECP_384_BP whereas
<b>dave</b> proposes ECP_256_BP and ECP_512_B P. Since <b>moon</b> does not support
ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
index ebc7752f2..746d90280 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES
dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index bfca8965f..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..893130d66
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256bp,aes192gcm16-ecp384bp
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256bp,aes192-sha384-ecp384bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 2b16165dc..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e522d15d7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256bp,aes256gcm16-ecp512bp
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256bp,aes256-sha512-ecp512bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 8c02c9fea..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..93fc75e14
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384bp,aes256gcm16-ecp512bp
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384bp,aes256-sha512-ecp512bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
index 78eb0ffb3..35323dab6 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
@@ -1,17 +1,16 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_384_BP and ECP_224_BP whereas
-<b>dave</b> proposes ECP_192_BP and ECP_256_BP. Since <b>moon</b> does not support
+<b>dave</b> proposes ECP_384_BP and ECP_256_BP. Since <b>moon</b> does not support
ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
index ff9fb202c..1c64d0f16 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES
dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index be85b6c1e..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..deba223ce
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384bp,3des-sha256-ecp224bp
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384bp,3des-sha256-ecp224bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 1adedc048..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ab8fcf6a3
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384bp,aes128gcm16-ecp256bp
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384bp,aes128-sha256-ecp256bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index b4cd86c60..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c12a7d4c6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224bp,aes128gcm16-ecp256bp
+ }
+ }
+ version = 2
+ proposals = 3des-sha256-ecp224bp,aes128-sha256-ecp256bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
fall back to ECP_384 and ECP_521, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 4cee48d89..07ad135d8 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,17 +1,11 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2fd776e25..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..46942c7e2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 8d8989ed7..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..828c4d6c7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index addcc6175..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..18a98ad6e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
index 84b6eb4bf..c365455d0 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index 818082ca8..88fe3a1e3 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index b754c29ba..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e21bcd3b5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index b5e9215c5..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f38c4353b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 2e4a15ec3..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5caa77eb9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt
index 8c0d37c88..4f472b83b 100644
--- a/testing/tests/openssl-ikev2/critical-extension/description.txt
+++ b/testing/tests/openssl-ikev2/critical-extension/description.txt
@@ -1,5 +1,5 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
<b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
index cc904c8bc..e91ba2b82 100644
--- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,4 @@
moon::cat /var/log/daemon.log::sending end entity cert::YES
moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index a72c82525..f2104c5f8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
multiple_authentication = no
+}
+libstrongswan {
x509 {
enforce_critical = no
}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
index 4d99866f7..4d99866f7 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b0aa32a5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+ esp_proposals = aes128gcm128-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
index 7f78d5820..7f78d5820 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
Binary files differ
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index d67640548..77d858547 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
index d8fad9aad..d8fad9aad 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bb068bdbe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
index c1efb6719..c1efb6719 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
Binary files differ
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index 837738fc6..83cd75a5d 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::rm /etc/swanctl/x509/moonCert.der
+sun::rm /etc/swanctl/x509/sunCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 08ca6b54c..cc8d9d74f 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,7 +1,7 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::rm /etc/swanctl/x509/moonCert.pem
+sun::rm /etc/swanctl/x509/sunCert.pem
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index b286ef6eb..d3016a886 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS=""
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
index 4f855eb1a..3bbcdfa32 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
@@ -1,11 +1,12 @@
The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+</p>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 18fdacfff..a018f735d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -1,17 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c562e359c..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
index c277ba4f6..c277ba4f6 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..06c23a791
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ ecdsa-carol {
+ file = carolKey.pem
+ secret = "nH5ZQEWtku0RJEZ6"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 62a62a463..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index d94b17950..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
- signature_authentication = no
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
index 40a76935e..40a76935e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f7eb029b0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-ecp384
+ }
+ }
+ version = 2
+ proposals = aes256-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index c5e5e61b0..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0d99a8189
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+ }
+ }
+ version = 2
+ proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 1865a1c60..3d10c0f1f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/ecdsa/carolKey.pem
+dave::rm /etc/swanctl/ecdsa/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,11 +1,14 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 46eaccd7a..a018f735d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c562e359c..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem
index d043dfd6d..d043dfd6d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..048f3bbf9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ pkcs8-carol {
+ file = carolKey.pem
+ secret = "nH5ZQEWtku0RJEZ6"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 62a62a463..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 56f6e6365..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem
index c32137ef9..c32137ef9 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..8557928c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-ecp384
+ }
+ }
+ version = 2
+ proposals = aes256-sha384-ecp384
+ }
+}
+
+
+secrets {
+
+ pkcs8-dave {
+ file = daveKey.pem
+ secret = "OJlNZBx+80dLh4wC6fw5LmBd"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index c5e5e61b0..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0d99a8189
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+ }
+ }
+ version = 2
+ proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 1865a1c60..ff2860e45 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/pkcs8/carolKey.pem
+dave::rm /etc/swanctl/pkcs8/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,11 +1,14 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
deleted file mode 100644
index 468c5f7ee..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index fcb9d839f..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.asc
- leftid=@#71270432cd763a18020ac988c0e75aed
- leftfirewall=yes
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightcert=sunCert.asc
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 6524773e0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID Date User ID
-sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index afb1ff927..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index aea93d234..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
-}
-
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 91d6ef5d8..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
- leftcert=sunCert.asc
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightcert=moonCert.asc
- rightid=@#71270432cd763a18020ac988c0e75aed
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index de2393649..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID Date User ID
-sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index ee98b1611..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index aea93d234..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
-}
-
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
deleted file mode 100644
index 9a9513dc3..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
deleted file mode 100644
index 969c42337..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
index e66ea1918..1d40e30f0 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
@@ -2,7 +2,7 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
<b>PKCS12</b> format.
<p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
index fe4aa5ab1..bfc7e76f1 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 195710a7f..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 802cfc681..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
index 2448837f3..a8ed13448 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown
+ load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
new file mode 100644
index 000000000..365da741f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
Binary files differ
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-moon {
+ file = moonCert.p12
+ secret = "kUqd8O7mzbjXNJKQ"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 292fbeeb6..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index 3dc85528c..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
-
-
-
-
-
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
index 2448837f3..a8ed13448 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown
+ load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
new file mode 100644
index 000000000..e2cd2f21d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
Binary files differ
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-sun {
+ file = sunCert.p12
+ secret = "IxjQVCF3JGI+MoPi"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
index 0fbba487c..9802f442d 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/private/moonCert.p12
-sun::rm /etc/ipsec.d/private/sunCert.p12
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
index 47e6d8604..22ffcf949 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -1,11 +1,9 @@
-moon::rm /etc/ipsec.d/private/moonKey.pem
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-sun::rm /etc/ipsec.d/private/sunKey.pem
-sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
index 646b8b3e6..87abc763b 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt
index b16faad06..ca738a1d4 100644
--- a/testing/tests/openssl-ikev2/rw-cert/description.txt
+++ b/testing/tests/openssl-ikev2/rw-cert/description.txt
@@ -1,11 +1,12 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+plugins <b>aes des sha1 sha2 hmac gmp</b> and <b>x509</b>.
+<p/>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index be78c5125..572a138a6 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 213cd70fa..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha1-modp1536!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 8197ea8b1..996be95f5 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
+ load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e8504addb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-modp2048
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-modp2048
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 653316fde..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256-sha256-modp2048!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 058abcad7..f2b8046e0 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..27c6f12ba
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 16299b339..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 8197ea8b1..996be95f5 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
+ load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..aa8d6167a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072,3des-sha1-modp2048
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 1865a1c60..b909ac76c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 974c22530..61fc17ba2 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,12 +1,11 @@
-moon::iptables-restore < /etc/iptables.rules
+mmoon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-# moon runs crypto tests, so make sure it is ready
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
deleted file mode 100644
index 5b525ef06..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
-carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES
-carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f3d7a807c..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128-sha256!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 646f6e8e3..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C
-Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+
-aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u
-Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0
-cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n
-c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA
-7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm
-q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE
-gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index c277ba4f6..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C
-
-CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH
-7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB
-71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index f5b116b3b..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 2236a5f71..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128-sha256!
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftauth=eap-tls
- leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index a4962286e..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI
-zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr
-dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx
-JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu
-M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl
-8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB
-7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G
-A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr
-aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq
-hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT
-tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8
-ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN
-Vjo6NkA=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 24f07b5d7..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B
-qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb
-Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ
-7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd
-lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4aa2068f4..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
-
-libtls {
- suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
deleted file mode 100644
index 046d4cfdc..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
deleted file mode 100644
index 26e42c4b7..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>128 bit</b>
-security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
-authenticated encryption.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
deleted file mode 100644
index b00c4cd40..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 61e13df41..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-ecp256!
- esp=aes128gcm128-ecp256!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 646f6e8e3..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C
-Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+
-aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u
-Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0
-cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n
-c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA
-7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm
-q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE
-gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index c8c12c3b7..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAgyh91hjqzCuAICCAAw
-HQYJYIZIAWUDBAECBBBZwepsRENncvW5UJ/blAqmBIGQZdbHnD3PWEbUXZJPkbIK
-VvJZkd2+k12IxdShMWwCeW93R+3nj+7T0NPAQqMbuqz51zgO+SuXDupUIKdLHKMy
-vdasLrbA3fe7YFVlxQjB6fB69V059ifi61OCIO/KfC7Je4ff3TZVwJcUYpduPIkQ
-BZAw46T0JtrXltFgxxGYnnTlzuYW6EDB3l6Fwb2zCyZm
------END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 22fcb3eb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-ecp256!
- esp=aes128gcm128-ecp256!
-
-conn peer
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_CAROL
- rightid=carol@strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 0f6315794..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7TCCAlCgAwIBAgIBEjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMzUyNFoXDTIzMDYxMTEyMzUyNFowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATRc+i666sxHVohZ/4ld8ffz2xoa+x9+7TzM689nczQ
-oZMs3+AJIjjNzdjvEe6kPHW73p51IdtlVF97Ib62hgQuo4IBEzCCAQ8wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDA3QkktCD5ZvWeiepNeQPWpcKP8
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYETZGF2ZUBzdHJv
-bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
-YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GKADCBhgJBOrfM
-xT0Cn1uXVvuS977ANQZwzAX4O9y5POFXBkDKLFPL9hgWg7jxhREkDRcvViovMmiM
-EAjoEZLD8SysfYrRZxcCQXtgWTfS2GAIDSQS1of1so/8Z/xZdfoIWxRoZ/xmH7jY
-Yt3wK6yGjziEbX9LGN4MkOwkJKjEkTwbTygv7Wt3arz/
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index a4041c5fa..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEICEAikut4YuFnv6vLE/7Lk+LmQ+ic35apftbhu2+TICQoAoGCCqGSM49
-AwEHoUQDQgAE0XPouuurMR1aIWf+JXfH389saGvsffu08zOvPZ3M0KGTLN/gCSI4
-zc3Y7xHupDx1u96edSHbZVRfeyG+toYELg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f7044e51d..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekey=no
- reauth=no
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-ecp256!
- esp=aes128gcm128-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index 961c8bec8..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7jCCAlCgAwIBAgIBEzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzE0MzEzMVoXDTIzMDYxMTE0MzEzMVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATCqc/Wov++N8wvG3IhsEAxa38bxoIBPQZeOqMyi/lV
-breEsOSJD/POV3gkt1lKOaQ502XdJcjdAvCqjtbpzCMWo4IBEzCCAQ8wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFAtkayAwMYDQqnlKDRvm7HNCIxY8
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYITbW9vbi5zdHJv
-bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
-YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GLADCBhwJBVnfl
-l9eV6R+jNdUCuz+yDdM7c1UpQ+Qy7rtXq50KZY7d1xJsTk152LxXIkO8EJnHmO4l
-s39RHlGXItWcYGffXIICQgCLB+R8QFnMcKlgpjrxsuO/Ljg1RcMav3y3zaHJJJLT
-eJBEL7RhDaPGcJ/hKU4TPwvSEIkswQaDnN+oAZiz/gFDUw==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index c0a8c852b..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIG7fewqQ4RTIWsck4m9ftByXOl4X0va0RtYqdbiF9CAHoAoGCCqGSM49
-AwEHoUQDQgAEwqnP1qL/vjfMLxtyIbBAMWt/G8aCAT0GXjqjMov5VW63hLDkiQ/z
-zld4JLdZSjmkOdNl3SXI3QLwqo7W6cwjFg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index feb5d79a6..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
deleted file mode 100644
index 290f57e69..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-dave::expect-connection peer
-dave::ipsec up peer
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
deleted file mode 100644
index b8cb4fb8b..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>192 bit</b>
-security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
-authenticated encryption.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
deleted file mode 100644
index 3de5c94e0..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 14146ef01..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha384-ecp384!
- esp=aes256gcm128-ecp384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index f3f4c6671..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDjCCAm+gAwIBAgIBETAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMzQzMloXDTIzMDYxMTEyMzQzMlowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
-zj0CAQYFK4EEACIDYgAExm8lmoXGUfLL8xzhhQFmadz7SjPdubASbH9m+t7h30OV
-yo+NPmtve7uqrWzttyWfqR7tFSOLtP5joj8U9E580ilT/2MsjVQJpKOFpYaggPUK
-f+fhRwfQMUunyyAoIRSbo4IBFDCCARAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gw
-HQYDVR0OBBYEFCQeIdu6skXTNWUg5w1Eb9HR1dU2MHgGA1UdIwRxMG+AFLpd+XG2
-E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
-dXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA
-9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwPAYDVR0f
-BDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2Fu
-X2VjLmNybDAKBggqhkjOPQQDAgOBjAAwgYgCQgGptTrYfjcWM+P66K5W+sq1d4X6
-E0+I2lXRKRiku2vPjpTQZJim4k4pAJNC19R2CCJMBgqab1ROUUsHMMHBNcyR/gJC
-AN6S1J68o3UTQwAyN/zXW4ur8cxsPKV9uZYoz7O6Snz+eTliz/g8NPtfLYUseCii
-VoXhdWwKkiRd8Cjck+RJHVWh
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 713942d7f..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI1OV1cAp5SZcCAggA
-MB0GCWCGSAFlAwQBFgQQ1SGtVnno2vKhkF+iPT6vygSBwFZQrciZs2FN8cDI0x9c
-3OFxbaRawXnagMlpYq/To268rDFtcKGBN7JxwBaFGJw4NFrU/sOu2NkhLuA/Jbaz
-w75aQ/MjTeOtwy2PS62J/+T1zqCdfpfCJYeYCc2CPd3E21FbsW0Mmfw1b8vZ2YeS
-lsd9jvY/bob4tH68J1ZqErOLaCU0EXPgqlZiLhcDIwfZJDqrZ5xFHk3mcjB6Pc4O
-TWwJN+elQoxd29HSASw9plO2p1DRDpSZPTU67UDXDOWfJA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index b81e9b277..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha384-ecp384!
- esp=aes256gcm128-ecp384!
-
-conn peer
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_CAROL
- rightid=carol@strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 35b3df49a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
-PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5
-7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ
-rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd
-BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT
-tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
-eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2
-onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
-MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
-Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq
-duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2
-d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP
-GnRyvRuhwRkbBIGt6l1mbA==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index 40a76935e..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n
-2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco
-AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B
-Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f37dae945..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekey=no
- reauth=no
- keyexchange=ikev2
- ike=aes256gcm128-prfsha384-ecp384!
- esp=aes256gcm128-ecp384!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index a71ffdca1..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCzCCAm2gAwIBAgIBFDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzE0MzE1MVoXDTIzMDYxMTE0MzE1MVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
-PQIBBgUrgQQAIgNiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q4+MyOBab2jzM
-AVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSBwyYzL9+Nhnam
-F6qMSaPBnIE2CK2hgqGjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd
-BgNVHQ4EFgQUT4FEmRbCvjxKsXqruiQgzC50pj0weAYDVR0jBHEwb4AUul35cbYT
-tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
-eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2
-onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
-MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
-Yy5jcmwwCgYIKoZIzj0EAwIDgYsAMIGHAkIAhHCvrcHfCJbPcNDdyT4x3F3V2wq7
-96TzcVzlLJ+zSxr3Xo3eqOZaxAlnnoI4aQIukZ0RXzSCebDrOL9+k+5uRakCQU9k
-W5MphqYKOys+lQmpKBEnzZlM1QvFfUUiXwoxN8Ilc9c0nSVXKl9m/uPgP7GZjvaE
-J4juvRKmi2nMoxWIJtMt
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index ba7520f6c..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDuG7KDU5nek/TFvZQIxg89wevYYa1/EDyQHLFanmbK1DTx07Wv9D/b
-BL5sHWEPNMGgBwYFK4EEACKhZANiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q
-4+MyOBab2jzMAVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSB
-wyYzL9+NhnamF6qMSaPBnIE2CK2hgqE=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index feb5d79a6..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
deleted file mode 100644
index 290f57e69..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-dave::expect-connection peer
-dave::ipsec up peer
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
index 6e427b265..a067f6ded 100644
--- a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
+++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
@@ -2,8 +2,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
index 63c8b6414..c483dec2b 100644
--- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat
index de62af271..1cc8d8240 100755
--- a/testing/tests/swanctl/config-payload/evaltest.dat
+++ b/testing/tests/swanctl/config-payload/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat
index f7af441a4..61c94618b 100755
--- a/testing/tests/swanctl/frags-ipv6/evaltest.dat
+++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat
@@ -11,8 +11,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
-alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES
-alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org.*: icmp_seq=1::YES
+alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/swanctl/host2host-cert/description.txt
new file mode 100755
index 000000000..8f7e6e9f4
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat
new file mode 100755
index 000000000..29cd8bfbd
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/evaltest.dat
@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..42176e76d
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..eeaaeab1d
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat
new file mode 100755
index 000000000..3d7248cc8
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat
new file mode 100755
index 000000000..b42dce654
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/swanctl/host2host-cert/test.conf
new file mode 100755
index 000000000..52d886dcc
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt
new file mode 100755
index 000000000..bc5a1299b
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/description.txt
@@ -0,0 +1,6 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
+is successfully set up. The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat
new file mode 100755
index 000000000..8b103d087
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/evaltest.dat
@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c1e33eca3
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0e94678e4
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat
new file mode 100755
index 000000000..3d7248cc8
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat
new file mode 100755
index 000000000..b42dce654
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/swanctl/host2host-transport/test.conf
new file mode 100755
index 000000000..52d886dcc
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat
index 130a0b918..5133e426f 100755
--- a/testing/tests/swanctl/ip-pool-db/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
index 51ac523b8..36ab6c119 100755
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/swanctl/ip-two-pools-db/description.txt
new file mode 100755
index 000000000..4bad7b1b7
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/description.txt
@@ -0,0 +1,14 @@
+The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
+from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
+[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
+IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
+the <b>eth1</b> (PH_IP_MOON1) interface.
+Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
+respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
+respectively.
+<p>
+By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
+spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
+demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
+of <b>carol</b> and <b>venus</b>.
diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
new file mode 100755
index 000000000..16dc23669
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
@@ -0,0 +1,35 @@
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
+venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
+venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
+
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7dfef4e38
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 10.1.0.10
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..fca6efb2e
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1f0b361ec
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..fba531a52
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+
+ plugins {
+ attr-sql {
+ database = sqlite:///etc/db.d/ipsec.db
+ }
+ }
+}
+
+pool {
+ load = sqlite
+ database = sqlite:///etc/db.d/ipsec.db
+} \ No newline at end of file
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d719d7aad
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,48 @@
+connections {
+
+ ext {
+ local_addrs = 192.168.0.1
+ pools = extpool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ ext {
+ local_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ int {
+ local_addrs = 10.1.0.1
+ pools = intpool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ int {
+ local_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..906b7bdea
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 10.1.0.20
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/swanctl/ip-two-pools-db/posttest.dat
new file mode 100755
index 000000000..cbb2c2498
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/posttest.dat
@@ -0,0 +1,18 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::ip route del 10.3.0.0/16 via PH_IP_MOON
+moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
+moon::ipsec pool --del extpool 2> /dev/null
+moon::ipsec pool --del intpool 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+
diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/swanctl/ip-two-pools-db/pretest.dat
new file mode 100755
index 000000000..7229eee7c
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/pretest.dat
@@ -0,0 +1,30 @@
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+moon::ipsec pool --statusattr 2> /dev/null
+moon::ip route add 10.3.0.0/16 via PH_IP_MOON
+moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+moon::expect-connection int
+moon::expect-connection ext
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
+venus::expect-connection home
+venus::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/swanctl/ip-two-pools-db/test.conf
index 05d40f98d..9394e0289 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf
+++ b/testing/tests/swanctl/ip-two-pools-db/test.conf
@@ -5,7 +5,7 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
@@ -13,20 +13,16 @@ DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="alice venus carol dave"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS="alice"
+IPSECHOSTS="alice venus moon carol dave"
# Guest instances on which databases are used
#
-DBHOSTS="alice"
+DBHOSTS="moon"
# charon controlled by swanctl
#
diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt
new file mode 100755
index 000000000..df9f54a66
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
+Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
+<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
+virtual IP addresses from <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
+connecting to the <b>eth1</b> (10.1.0.1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat
new file mode 100755
index 000000000..cb3b60f4d
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/evaltest.dat
@@ -0,0 +1,18 @@
+moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..509fe678f
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 10.1.0.10
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..60b216e62
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..cf4e54024
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,55 @@
+connections {
+
+ rw1 {
+ local_addrs = 192.168.0.1
+ pools = pool1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw1 {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ rw2 {
+ local_addrs = 10.1.0.1
+ pools = pool2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw2 {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ pool1 {
+ addrs = 10.3.0.0/28
+ }
+ pool2 {
+ addrs = 10.4.0.0/28
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat
new file mode 100755
index 000000000..0cfeeb120
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+alice::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat
new file mode 100755
index 000000000..95a32febc
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/swanctl/ip-two-pools/test.conf
index f29298850..5f67b7ed5 100644..100755
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/swanctl/ip-two-pools/test.conf
@@ -9,13 +9,17 @@ VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-m-c-w.png"
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="carol alice"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..aa6f98076
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..51b64a74b 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,19 @@ authorize {
preprocess
chap
mschap
- sim_files
+ files
suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
deleted file mode 100644
index aaabab89e..000000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..aa6f98076 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
index 010a4f9c4..93b379348 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
+alice::killall freeradius
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
index 57d39a5e6..10150f03c 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,10 +1,6 @@
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::systemctl start strongswan-swanctl
carol::systemctl start strongswan-swanctl
dave::systemctl start strongswan-swanctl
diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/swanctl/nat-rw-psk/description.txt
new file mode 100644
index 000000000..7754c7f39
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat
new file mode 100644
index 000000000..cd171e8c9
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/evaltest.dat
@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2d601c122
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.10
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = 10.1.0.10
+ }
+ remote {
+ auth = psk
+ id = 192.168.0.2
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-sun {
+ id = 192.168.0.2
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7625e5066
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f7a542d4d
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ nat-t {
+ local_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = 192.168.0.2
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ nat-t {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-alice {
+ id = 10.1.0.10
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+ ike-venus {
+ id = 10.1.0.20
+ secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..654489dfc
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.20
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = 10.1.0.20
+ }
+ remote {
+ auth = psk
+ id = 192.168.0.2
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-sun {
+ id = 192.168.0.2
+ secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+ }
+}
+
diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/swanctl/nat-rw-psk/posttest.dat
new file mode 100644
index 000000000..a41653640
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/posttest.dat
@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/swanctl/nat-rw-psk/pretest.dat
new file mode 100644
index 000000000..906c5b006
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/pretest.dat
@@ -0,0 +1,16 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/swanctl/nat-rw-psk/test.conf
new file mode 100644
index 000000000..ecc95b837
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/swanctl/nat-rw/description.txt
new file mode 100644
index 000000000..1ee91b74d
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat
new file mode 100644
index 000000000..ae6aaed33
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/evaltest.dat
@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..61f769637
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.10
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7625e5066
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..637260de8
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ nat-t {
+ local_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ nat-t {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0ea7c4055
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.20
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/swanctl/nat-rw/posttest.dat
new file mode 100644
index 000000000..a41653640
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/posttest.dat
@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/swanctl/nat-rw/pretest.dat
new file mode 100644
index 000000000..63c9d359e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/pretest.dat
@@ -0,0 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/swanctl/nat-rw/test.conf
new file mode 100644
index 000000000..ecc95b837
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/swanctl/net2net-psk/description.txt
index bd680b57a..e064a99de 100644..100755
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
+++ b/testing/tests/swanctl/net2net-psk/description.txt
@@ -1,6 +1,7 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat
new file mode 100755
index 000000000..4c56d5299
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5e2480ee2
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,55 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-1 {
+ id-1 = moon.strongswan.org
+ secret = 0x45a30759df97dc26a15b88ff
+ }
+ ike-2 {
+ id-2 = sun.strongswan.org
+ secret = "This is a strong password"
+ }
+ ike-3 {
+ id-3a = moon.strongswan.org
+ id-3b =sun.strongswan.org
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+ ike-4 {
+ secret = 'My "home" is my "castle"!'
+ }
+ ike-5 {
+ id-5 = 192.168.0.1
+ secret = "Andi's home"
+ }
+} \ No newline at end of file
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b6fc72b7a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-1 {
+ id-moon = moon.strongswan.org
+ id-sun =sun.strongswan.org
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat
new file mode 100755
index 000000000..755f0e5f8
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat
new file mode 100755
index 000000000..e82d539fb
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/swanctl/net2net-psk/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat
index a62fda968..c4106c678 100755
--- a/testing/tests/swanctl/rw-cert-pss/evaltest.dat
+++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES
+dave ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES
+moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES
+moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt
index 6af7a39ae..f190c0752 100755
--- a/testing/tests/swanctl/rw-cert/description.txt
+++ b/testing/tests/swanctl/rw-cert/description.txt
@@ -1,5 +1,6 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<p/>
Upon the successful establishment of the IPsec tunnels, the updown script
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
new file mode 100644
index 000000000..c39829dd5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
@@ -0,0 +1,11 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
+uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
new file mode 100644
index 000000000..a655543f9
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1582b2b01
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4aabbaba1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = "Ar3etTnp01qlpOgb"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1582b2b01
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d68d1f474
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-aka
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = "Ar3etTnp01qlpOgb"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf
index 4a5fc470f..97b89cb61 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
new file mode 100644
index 000000000..0138e35f5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
new file mode 100644
index 000000000..0d4f74197
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..4d4fc3583
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
index ff58c7c9a..e3d6e50c0 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,33 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = "Ar3etTnp01qlpOgb"
}
}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d4fc3583
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..609309f05
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-aka
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp01qlpOgb"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
index c3f38054b..97b89cb61 100644
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol dave winnetou"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
@@ -18,4 +18,8 @@ TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
new file mode 100644
index 000000000..42db2e199
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+In addition to her IKEv2 identity<b>carol@strongswan.org</b>, roadwarrior
+<b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
new file mode 100644
index 000000000..3080ec15a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d2cc789b3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..590a2b7cf
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fa363c345
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..9a59fc15e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
new file mode 100644
index 000000000..84ba602c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
index 2069e4aa5..0d9e9f3d4 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/test.conf
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
@@ -5,20 +5,20 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS=
+TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="carol dave"
+IPSECHOSTS="moon carol"
# Guest instances on which FreeRadius is started
#
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt
new file mode 100644
index 000000000..f0f241dc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>. \ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
new file mode 100644
index 000000000..09a78be83
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
index ff58c7c9a..158c26b72 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,33 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
index 28b32b74c..ad6d62896 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -1,27 +1,27 @@
connections {
- rw {
+ rw-eap {
local_addrs = 192.168.0.1
local {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
certs = moonCert.pem
+ id = moon.strongswan.org
}
remote {
auth = eap-radius
id = *@strongswan.org
}
children {
- rw {
- local_ts = 10.1.0.0/16
+ net {
+ local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
new file mode 100644
index 000000000..84ba602c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt
new file mode 100644
index 000000000..08fd89b65
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
new file mode 100644
index 000000000..c0026af4f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..158c26b72
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..13816d778
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-md5
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt
new file mode 100644
index 000000000..95afc08b5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
new file mode 100644
index 000000000..a1c2d4e88
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol
+moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d9210aeb5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
index 1516ad726..1b5c5d99f 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -6,8 +6,7 @@ connections {
local {
auth = eap
- aaa_id = aaa.strongswan.org
- id = carol@strongswan.org
+ eap_id = carol
}
remote {
auth = pubkey
@@ -18,18 +17,18 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-ecp256
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d9210aeb5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d7c1f68ce
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-mschapv2
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave
+ secret = W7R0g3do
+ }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/swanctl/rw-eap-peap-md5/description.txt
index d5f0b267a..7f9ade88a 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
+++ b/testing/tests/swanctl/rw-eap-peap-md5/description.txt
@@ -1,10 +1,10 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
authentication) with the gateway being authenticated by a server certificate during the
-EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
-authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-PEAP).
<p/>
-With the setting <b>charon.plugins.eap-ttls.phase2_piggyback = yes</b> the server <b>moon</b>
-initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request
+With the setting <b>charon.plugins.eap-peap.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request
right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
new file mode 100644
index 000000000..20ec1561e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..733ab2afb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
index 0f266dd93..db82791b8 100644..100755
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = carol@strongswan.org
}
remote {
- auth = eap-ttls
- id = moon.strongswan.org
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..733ab2afb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
index 989ab88c7..7f3b8104b 100644..100755
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = dave@strongswan.org
}
remote {
- auth = eap-ttls
- id = moon.strongswan.org
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4b5445999
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-peap {
+ phase2_method = md5
+ phase2_piggyback = yes
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb3bfd28
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-peap
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-peap
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
index 199873ba1..199873ba1 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
index 79340af29..9ae476e64 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
@@ -1,19 +1,12 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
moon::systemctl start strongswan-swanctl
carol::systemctl start strongswan-swanctl
dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
+moon::expect-connection rw-eap
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/swanctl/rw-eap-peap-md5/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt
new file mode 100644
index 000000000..ef2d24f2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MSCHAPv2</b> (phase2 of EAP-PEAP).
+<p/>
+Client <b>carol</b> presents the correct MSCHAPv2 password and succeeds whereas client
+<b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
new file mode 100644
index 000000000..dc56ba850
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..6f227cc3a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..db82791b8
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..6f227cc3a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
index 5af2098b6..7f3b8104b 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = dave@strongswan.org
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ send_certreq = no
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3b498d93b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-peap {
+ phase2_method = mschapv2
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb3bfd28
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-peap
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-peap
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
index 199873ba1..199873ba1 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
index 79340af29..9ae476e64 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
@@ -1,19 +1,12 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
moon::systemctl start strongswan-swanctl
carol::systemctl start strongswan-swanctl
dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
+moon::expect-connection rw-eap
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt
new file mode 100644
index 000000000..004068226
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-PEAP</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
new file mode 100644
index 000000000..291e249da
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..0ae8befe4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = peap
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ peap {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..11d3e2acd 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,7 +1,7 @@
eap {
md5 {
}
- default_eap_type = ttls
+ default_eap_type = peap
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
@@ -10,16 +10,9 @@ eap {
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
- ttls {
+ peap {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
}
}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..cb7743f82
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7ffdd1f4c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..cb7743f82
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
index 07b35dcb9..97c0b7057 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = dave@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-ecp256
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ad6d62896
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
index 0d96563c1..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
@@ -1,8 +1,7 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
new file mode 100644
index 000000000..ff5f6e164
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/swanctl/rw-eap-peap-radius/test.conf
index 8d7f51449..0e5512b65 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol winnetou dave moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt
new file mode 100644
index 000000000..41abb363c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets. In addition to her IKEv2 identity
+<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
+identity <b>228060123456001</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
new file mode 100644
index 000000000..038a2c1e1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..1dc666992
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,53 @@
+authorize {
+ files
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
index c167ba940..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..11ae80c1e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2576209ef
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id=228060123456001
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fa363c345
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..682136230
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
new file mode 100644
index 000000000..5d875ee77
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt
new file mode 100644
index 000000000..26de3c982
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
+a mutual <b>EAP-only</b> authentication.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets.
+<p/>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
new file mode 100644
index 000000000..3d3359775
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..51b64a74b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,72 @@
+authorize {
+ preprocess
+ chap
+ mschap
+ files
+ suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
+ eap {
+ ok = return
+ }
+ unix
+ files
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ unix
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 3e9a644eb..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,6 +1,3 @@
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..a73f3003c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b1ffc462
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..09a2a5358
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
index 0d96563c1..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
@@ -1,8 +1,7 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
new file mode 100644
index 000000000..66c829747
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
@@ -0,0 +1,16 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
index 8d7f51449..93f23f1d6 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-radius/description.txt
new file mode 100644
index 000000000..5cb1bacdc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets.
+<p/>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
new file mode 100644
index 000000000..476e4e1fc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..51b64a74b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,72 @@
+authorize {
+ preprocess
+ chap
+ mschap
+ files
+ suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
+ eap {
+ ok = return
+ }
+ unix
+ files
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ unix
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 3e9a644eb..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,6 +1,3 @@
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1433bb561
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e573c9933
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e11667564
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
index ab96df0ed..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
@@ -1,9 +1,7 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
-carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
new file mode 100644
index 000000000..66c829747
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
@@ -0,0 +1,16 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/swanctl/rw-eap-sim-radius/test.conf
index f6db73912..93f23f1d6 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/swanctl/rw-eap-sim-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
@@ -22,7 +22,7 @@ IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
-RADIUSHOSTS=
+RADIUSHOSTS="alice"
# charon controlled by swanctl
#
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt
new file mode 100644
index 000000000..4401e679f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
new file mode 100644
index 000000000..1e967896e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1433bb561
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..6028df452
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-sim
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/swanctl/rw-eap-tls-only/description.txt
index e25da6935..b3e0450a4 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
+++ b/testing/tests/swanctl/rw-eap-tls-only/description.txt
@@ -1,5 +1,4 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
(without a separate IKEv2 authentication), using TLS client and server certificates,
-respectively. Elliptic curve cryptography is used by both the IKE and TLS
-protocols.
+respectively.
diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..52dc51a62
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c25dc8398
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..cc3e77095
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = carolCert.pem
+ }
+ remote {
+ auth = eap-tls
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c69b0d77b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+} \ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..51150c77c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-tls
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
index 1578796a1..90445d430 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
moon::expect-connection rw-eap
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt
new file mode 100644
index 000000000..d635ae33e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates. The gateway forwards all EAP messages to the
+AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
new file mode 100644
index 000000000..e3b7cf39a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e8670dbb7
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,16 @@
+eap {
+ default_eap_type = tls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ tls {
+ tls = tls-common
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..060702784
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,55 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..92f96ad66 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,8 +1,8 @@
eap {
- md5 {
- }
- default_eap_type = ttls
+ default_eap_type = tls
tls {
+ certdir = /etc/raddb/certs
+ cadir = /etc/raddb/certs
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
@@ -10,16 +10,4 @@ eap {
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
- ttls {
- default_eap_type = md5
- use_tunneled_reply = yes
- virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
- }
-}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..18ebf9e9d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,41 @@
+authorize {
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..585019e47
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication = no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..58786ba87
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ certs = carolCert.pem
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ }
+ remote {
+ auth = pubkey
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ebe5ffab7
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
new file mode 100644
index 000000000..299fccfeb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/swanctl/rw-eap-tls-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/swanctl/rw-eap-ttls-only/description.txt
new file mode 100644
index 000000000..19c00531e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
+<b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
+sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
+Finished message. Client <b>carol</b> presents the correct MD5 password and succeeds
+whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
index 2285608b8..00282ab2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
@@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f39a874a4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
index 0f266dd93..184aaa5d3 100644..100755
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = carol@strongswan.org
}
remote {
auth = eap-ttls
- id = moon.strongswan.org
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f39a874a4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
index 989ab88c7..a77bd0079 100644..100755
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = dave@strongswan.org
}
remote {
auth = eap-ttls
- id = moon.strongswan.org
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..860fbf3ac
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5ee0c57a3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-ttls
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
new file mode 100644
index 000000000..9ae476e64
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/swanctl/rw-eap-ttls-only/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
new file mode 100644
index 000000000..479350c2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-TTLS</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
new file mode 100644
index 000000000..df4f0d550
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7450c71c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ ttls {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..c91cd40fb 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -14,12 +14,5 @@ eap {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
}
}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d90ccc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7ffdd1f4c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d90ccc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
index 5af2098b6..97c0b7057 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = dave@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ad6d62896
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
new file mode 100644
index 000000000..96b011090
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
new file mode 100644
index 000000000..ff5f6e164
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
index 61f2312af..0e5512b65 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol winnetou dave moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
@@ -22,7 +22,8 @@ IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
-RADIUSHOSTS=
+RADIUSHOSTS="alice"
+
# charon controlled by swanctl
#
SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt
deleted file mode 100644
index 8ce1157e9..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The Dummy IMC and IMV from the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
deleted file mode 100644
index 0b7655bdd..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index b094a3aaa..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
-#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index b094a3aaa..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
-#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index aacee2221..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- phase2_tnc = yes
- phase2_tnc_method = tnc
- }
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 1238c1a91..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap-carol {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
- }
- eap-dave {
- id = dave@strongswan.org
- secret = "W7R0g3do"
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
deleted file mode 100644
index d8215dd3c..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
+++ /dev/null
@@ -1,40 +0,0 @@
-#FTP - File Transfer Protocol
-TCP 20 = whatever
-TCP 21 = close
-
-#SSH - Secure Shell
-TCP 22 = whatever
-
-#Telnet
-TCP 23 = close
-
-#E-Mail
-#
-#SMTP - Simple Mail Transfer Protocol
-TCP 25 = close
-TCP 587 = close
-#POP3 - Post Office Protocol version 3
-TCP 110 = close
-TCP 995 = close
-
-#DNS - Domain Name System
-UDP 53 = close
-TCP 53 = close
-
-#BOOTP/DHCP - Bootstrap Protocol /
-#Dynamic Host Configuration Protocol
-UDP 67 = close
-#UDP 68 = open
-UDP 68 = whatever
-
-#www - World Wide Web
-#HTTP - Hypertext Transfer Protocol
-TCP 80 = close
-#HTTPS - Hypertext Transfer Protocol Secure
-TCP 443 = close
-
-#examples
-TCP 8080 = close
-TCP 5223 = whatever
-UDP 4444 = close
-UDP 631 = whatever
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
deleted file mode 100644
index 122d798b3..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
deleted file mode 100644
index 140caa98f..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
-#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt
deleted file mode 100644
index 67b1a2a34..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The IMC and IMV communicate are using the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
-is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas
-<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
deleted file mode 100644
index b2fc61949..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- assessment_result = no
- plugins {
- imv-test {
- rounds = 1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 305a9d1e6..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = allow
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5d17eb638..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = none
- }
- imc-scanner {
- push_info = no
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c9dd6e1f..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
- multiple_authentication=no
-
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = 10.1.0.10
- filter_id = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
deleted file mode 100644
index efddc609e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ /dev/null
@@ -1,21 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
deleted file mode 100644
index d5729dd7b..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between the OS and Attestation IMC and the Attestation IMV is based on the
- <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
deleted file mode 100644
index 588ddf469..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
deleted file mode 100644
index d87b5e7f9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Devices */
-
-INSERT INTO devices ( /* 1 */
- value, product, created
-)
-SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
-FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
-
-/* Groups Members */
-
-INSERT INTO groups_members (
- group_id, device_id
-) VALUES (
- 10, 1
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 16, 2, 0
-);
-
-DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index a3f4ca12c..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce openssl pubkey sqlite
- debug_level = 3
- database = sqlite:///etc/db.d/config.db
- policy_script = /usr/local/libexec/ipsec/imv_policy_manager
- assessment_result = no
-}
-
-attest {
- database = sqlite:///etc/db.d/config.db
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
deleted file mode 100644
index b5ac8c178..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
-IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index a534ac66e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
deleted file mode 100644
index 15dc93a0a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 469e81156..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
- retransmit_tries = 5
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
deleted file mode 100644
index 15dc93a0a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index cbaf67c89..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
- multiple_authentication=no
-
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = 10.1.0.10
- filter_id = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 096eb7b5a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- certs = moonCert.pem
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-ecp256
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-ecp256
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
deleted file mode 100644
index 7d0dfa385..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ /dev/null
@@ -1,28 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::echo 0 > /proc/sys/net/ipv4/ip_forward
-dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
-alice::ipsec attest --sessions
-alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt
deleted file mode 100644
index 4017c6eda..000000000
--- a/testing/tests/tnc/tnccs-11-radius/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
deleted file mode 100644
index cbafc1303..000000000
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
- md5 {
- }
- default_eap_type = ttls
- tls {
- private_key_file = /etc/raddb/certs/aaaKey.pem
- certificate_file = /etc/raddb/certs/aaaCert.pem
- CA_file = /etc/raddb/certs/strongswanCert.pem
- cipher_list = "DEFAULT"
- dh_file = /etc/raddb/certs/dh
- random_file = /etc/raddb/certs/random
- }
- ttls {
- default_eap_type = md5
- use_tunneled_reply = yes
- virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
- }
-}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
- suffix
- eap {
- ok = return
- }
- files
-}
-
-authenticate {
- eap
-}
-
-session {
- radutmp
-}
-
-post-auth {
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-pre-proxy {
-}
-
-post-proxy {
- eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- assessment_result = no
- plugins {
- imv-test {
- rounds = 1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 1ca6c3d10..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = allow
- }
- }
-}
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 9df983c80..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = isolate
- }
- imc-scanner {
- push_info = no
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c9dd6e1f..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
- multiple_authentication=no
-
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = 10.1.0.10
- filter_id = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 3caad0c66..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- certs = moonCert.pem
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
deleted file mode 100644
index bb2ce93b3..000000000
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ /dev/null
@@ -1,22 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt
deleted file mode 100644
index 5d0155382..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The layer 2 supplicants <b>carol</b> and <b>dave</b> want to connect to a network
-via switch <b>moon</b> which delegates the IEEE 802.1X authentication to the RADIUS
-server <b>alice</b>. <b>carol</b> and <b>dave</b> set up an <b>EAP-TTLS</b> tunnel
-each via <b>moon</b> to the <a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated
-by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by switch <b>moon</b> to the "allow" and "isolate" VLANs, respectively.
diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
deleted file mode 100644
index 2d43b3c7b..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES
-dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
- suffix
- eap {
- ok = return
- }
- files
-}
-
-authenticate {
- eap
-}
-
-session {
- radutmp
-}
-
-post-auth {
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-pre-proxy {
-}
-
-post-proxy {
- eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- assessment_result = no
- plugins {
- imv-test {
- rounds = 1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 965752b5e..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- plugins {
- imc-test {
- command = allow
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
deleted file mode 100644
index 00ef0f516..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1 +0,0 @@
-# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
deleted file mode 100644
index b4288fd53..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
deleted file mode 100644
index 92d84f570..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
+++ /dev/null
@@ -1,10 +0,0 @@
- network={
- ssid="eap_ttls"
- scan_ssid=0
- key_mgmt=IEEE8021X
- eap=TTLS
- identity="carol"
- password="Ar3etTnp"
- ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem"
- id_str=""
- }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index ca1f7d9a5..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- plugins {
- imc-test {
- command = isolate
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
deleted file mode 100644
index 00ef0f516..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1 +0,0 @@
-# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
deleted file mode 100644
index b4288fd53..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
deleted file mode 100644
index 37a343df6..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
+++ /dev/null
@@ -1,10 +0,0 @@
- network={
- ssid="eap_ttls"
- scan_ssid=0
- key_mgmt=IEEE8021X
- eap=TTLS
- identity="dave"
- password="W7R0g3do"
- ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem"
- id_str=""
- }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
deleted file mode 100644
index c84fcbd91..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
+++ /dev/null
@@ -1,1127 +0,0 @@
-##### hostapd configuration file ##############################################
-# Empty lines and lines starting with # are ignored
-
-# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
-# management frames); ath0 for madwifi
-interface=eth0
-
-# In case of madwifi, atheros, and nl80211 driver interfaces, an additional
-# configuration parameter, bridge, may be used to notify hostapd if the
-# interface is included in a bridge. This parameter is not used with Host AP
-# driver. If the bridge parameter is not set, the drivers will automatically
-# figure out the bridge interface (assuming sysfs is enabled and mounted to
-# /sys) and this parameter may not be needed.
-#
-# For nl80211, this parameter can be used to request the AP interface to be
-# added to the bridge automatically (brctl may refuse to do this before hostapd
-# has been started to change the interface mode). If needed, the bridge
-# interface is also created.
-#bridge=br0
-
-# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd);
-# default: hostap). nl80211 is used with all Linux mac80211 drivers.
-# Use driver=none if building hostapd as a standalone RADIUS server that does
-# not control any wireless/wired driver.
-driver=wired
-
-# hostapd event logger configuration
-#
-# Two output method: syslog and stdout (only usable if not forking to
-# background).
-#
-# Module bitfield (ORed bitfield of modules that will be logged; -1 = all
-# modules):
-# bit 0 (1) = IEEE 802.11
-# bit 1 (2) = IEEE 802.1X
-# bit 2 (4) = RADIUS
-# bit 3 (8) = WPA
-# bit 4 (16) = driver interface
-# bit 5 (32) = IAPP
-# bit 6 (64) = MLME
-#
-# Levels (minimum value for logged events):
-# 0 = verbose debugging
-# 1 = debugging
-# 2 = informational messages
-# 3 = notification
-# 4 = warning
-#
-logger_syslog=-1
-logger_syslog_level=2
-logger_stdout=-1
-logger_stdout_level=0
-
-# Dump file for state information (on SIGUSR1)
-dump_file=/tmp/hostapd.dump
-
-# Interface for separate control program. If this is specified, hostapd
-# will create this directory and a UNIX domain socket for listening to requests
-# from external programs (CLI/GUI, etc.) for status information and
-# configuration. The socket file will be named based on the interface name, so
-# multiple hostapd processes/interfaces can be run at the same time if more
-# than one interface is used.
-# /var/run/hostapd is the recommended directory for sockets and by default,
-# hostapd_cli will use it when trying to connect with hostapd.
-ctrl_interface=/var/run/hostapd
-
-# Access control for the control interface can be configured by setting the
-# directory to allow only members of a group to use sockets. This way, it is
-# possible to run hostapd as root (since it needs to change network
-# configuration and open raw sockets) and still allow GUI/CLI components to be
-# run as non-root users. However, since the control interface can be used to
-# change the network configuration, this access needs to be protected in many
-# cases. By default, hostapd is configured to use gid 0 (root). If you
-# want to allow non-root users to use the contron interface, add a new group
-# and change this value to match with that group. Add users that should have
-# control interface access to this group.
-#
-# This variable can be a group name or gid.
-#ctrl_interface_group=wheel
-ctrl_interface_group=0
-
-
-##### IEEE 802.11 related configuration #######################################
-
-# SSID to be used in IEEE 802.11 management frames
-#ssid=test
-
-# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
-# Set as needed to indicate country in which device is operating.
-# This can limit available channels and transmit power.
-#country_code=US
-
-# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
-# channels and transmit power levels based on the regulatory limits. The
-# country_code setting must be configured with the correct country for
-# IEEE 802.11d functions.
-# (default: 0 = disabled)
-#ieee80211d=1
-
-# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
-# Default: IEEE 802.11b
-hw_mode=g
-
-# Channel number (IEEE 802.11)
-# (default: 0, i.e., not set)
-# Please note that some drivers do not use this value from hostapd and the
-# channel will need to be configured separately with iwconfig.
-channel=1
-
-# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
-beacon_int=100
-
-# DTIM (delivery traffic information message) period (range 1..255):
-# number of beacons between DTIMs (1 = every beacon includes DTIM element)
-# (default: 2)
-dtim_period=2
-
-# Maximum number of stations allowed in station table. New stations will be
-# rejected after the station table is full. IEEE 802.11 has a limit of 2007
-# different association IDs, so this number should not be larger than that.
-# (default: 2007)
-max_num_sta=255
-
-# RTS/CTS threshold; 2347 = disabled (default); range 0..2347
-# If this field is not included in hostapd.conf, hostapd will not control
-# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it.
-rts_threshold=2347
-
-# Fragmentation threshold; 2346 = disabled (default); range 256..2346
-# If this field is not included in hostapd.conf, hostapd will not control
-# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set
-# it.
-fragm_threshold=2346
-
-# Rate configuration
-# Default is to enable all rates supported by the hardware. This configuration
-# item allows this list be filtered so that only the listed rates will be left
-# in the list. If the list is empty, all rates are used. This list can have
-# entries that are not in the list of rates the hardware supports (such entries
-# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110.
-# If this item is present, at least one rate have to be matching with the rates
-# hardware supports.
-# default: use the most common supported rate setting for the selected
-# hw_mode (i.e., this line can be removed from configuration file in most
-# cases)
-#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
-
-# Basic rate set configuration
-# List of rates (in 100 kbps) that are included in the basic rate set.
-# If this item is not included, usually reasonable default set is used.
-#basic_rates=10 20
-#basic_rates=10 20 55 110
-#basic_rates=60 120 240
-
-# Short Preamble
-# This parameter can be used to enable optional use of short preamble for
-# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance.
-# This applies only to IEEE 802.11b-compatible networks and this should only be
-# enabled if the local hardware supports use of short preamble. If any of the
-# associated STAs do not support short preamble, use of short preamble will be
-# disabled (and enabled when such STAs disassociate) dynamically.
-# 0 = do not allow use of short preamble (default)
-# 1 = allow use of short preamble
-#preamble=1
-
-# Station MAC address -based authentication
-# Please note that this kind of access control requires a driver that uses
-# hostapd to take care of management frame processing and as such, this can be
-# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
-# 0 = accept unless in deny list
-# 1 = deny unless in accept list
-# 2 = use external RADIUS server (accept/deny lists are searched first)
-macaddr_acl=0
-
-# Accept/deny lists are read from separate files (containing list of
-# MAC addresses, one per line). Use absolute path name to make sure that the
-# files can be read on SIGHUP configuration reloads.
-#accept_mac_file=/etc/hostapd.accept
-#deny_mac_file=/etc/hostapd.deny
-
-# IEEE 802.11 specifies two authentication algorithms. hostapd can be
-# configured to allow both of these or only one. Open system authentication
-# should be used with IEEE 802.1X.
-# Bit fields of allowed authentication algorithms:
-# bit 0 = Open System Authentication
-# bit 1 = Shared Key Authentication (requires WEP)
-auth_algs=3
-
-# Send empty SSID in beacons and ignore probe request frames that do not
-# specify full SSID, i.e., require stations to know SSID.
-# default: disabled (0)
-# 1 = send empty (length=0) SSID in beacon and ignore probe request for
-# broadcast SSID
-# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
-# with some clients that do not support empty SSID) and ignore probe
-# requests for broadcast SSID
-ignore_broadcast_ssid=0
-
-# TX queue parameters (EDCF / bursting)
-# tx_queue_<queue name>_<param>
-# queues: data0, data1, data2, data3, after_beacon, beacon
-# (data0 is the highest priority queue)
-# parameters:
-# aifs: AIFS (default 2)
-# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023)
-# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin
-# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for
-# bursting
-#
-# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
-# These parameters are used by the access point when transmitting frames
-# to the clients.
-#
-# Low priority / AC_BK = background
-#tx_queue_data3_aifs=7
-#tx_queue_data3_cwmin=15
-#tx_queue_data3_cwmax=1023
-#tx_queue_data3_burst=0
-# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
-#
-# Normal priority / AC_BE = best effort
-#tx_queue_data2_aifs=3
-#tx_queue_data2_cwmin=15
-#tx_queue_data2_cwmax=63
-#tx_queue_data2_burst=0
-# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
-#
-# High priority / AC_VI = video
-#tx_queue_data1_aifs=1
-#tx_queue_data1_cwmin=7
-#tx_queue_data1_cwmax=15
-#tx_queue_data1_burst=3.0
-# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
-#
-# Highest priority / AC_VO = voice
-#tx_queue_data0_aifs=1
-#tx_queue_data0_cwmin=3
-#tx_queue_data0_cwmax=7
-#tx_queue_data0_burst=1.5
-# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
-
-# 802.1D Tag (= UP) to AC mappings
-# WMM specifies following mapping of data frames to different ACs. This mapping
-# can be configured using Linux QoS/tc and sch_pktpri.o module.
-# 802.1D Tag 802.1D Designation Access Category WMM Designation
-# 1 BK AC_BK Background
-# 2 - AC_BK Background
-# 0 BE AC_BE Best Effort
-# 3 EE AC_BE Best Effort
-# 4 CL AC_VI Video
-# 5 VI AC_VI Video
-# 6 VO AC_VO Voice
-# 7 NC AC_VO Voice
-# Data frames with no priority information: AC_BE
-# Management frames: AC_VO
-# PS-Poll frames: AC_BE
-
-# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
-# for 802.11a or 802.11g networks
-# These parameters are sent to WMM clients when they associate.
-# The parameters will be used by WMM clients for frames transmitted to the
-# access point.
-#
-# note - txop_limit is in units of 32microseconds
-# note - acm is admission control mandatory flag. 0 = admission control not
-# required, 1 = mandatory
-# note - here cwMin and cmMax are in exponent form. the actual cw value used
-# will be (2^n)-1 where n is the value given here
-#
-wmm_enabled=1
-#
-# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
-# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver)
-#uapsd_advertisement_enabled=1
-#
-# Low priority / AC_BK = background
-wmm_ac_bk_cwmin=4
-wmm_ac_bk_cwmax=10
-wmm_ac_bk_aifs=7
-wmm_ac_bk_txop_limit=0
-wmm_ac_bk_acm=0
-# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
-#
-# Normal priority / AC_BE = best effort
-wmm_ac_be_aifs=3
-wmm_ac_be_cwmin=4
-wmm_ac_be_cwmax=10
-wmm_ac_be_txop_limit=0
-wmm_ac_be_acm=0
-# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
-#
-# High priority / AC_VI = video
-wmm_ac_vi_aifs=2
-wmm_ac_vi_cwmin=3
-wmm_ac_vi_cwmax=4
-wmm_ac_vi_txop_limit=94
-wmm_ac_vi_acm=0
-# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
-#
-# Highest priority / AC_VO = voice
-wmm_ac_vo_aifs=2
-wmm_ac_vo_cwmin=2
-wmm_ac_vo_cwmax=3
-wmm_ac_vo_txop_limit=47
-wmm_ac_vo_acm=0
-# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
-
-# Static WEP key configuration
-#
-# The key number to use when transmitting.
-# It must be between 0 and 3, and the corresponding key must be set.
-# default: not set
-#wep_default_key=0
-# The WEP keys to use.
-# A key may be a quoted string or unquoted hexadecimal digits.
-# The key length should be 5, 13, or 16 characters, or 10, 26, or 32
-# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
-# 128-bit (152-bit) WEP is used.
-# Only the default key must be supplied; the others are optional.
-# default: not set
-#wep_key0=123456789a
-#wep_key1="vwxyz"
-#wep_key2=0102030405060708090a0b0c0d
-#wep_key3=".2.4.6.8.0.23"
-
-# Station inactivity limit
-#
-# If a station does not send anything in ap_max_inactivity seconds, an
-# empty data frame is sent to it in order to verify whether it is
-# still in range. If this frame is not ACKed, the station will be
-# disassociated and then deauthenticated. This feature is used to
-# clear station table of old entries when the STAs move out of the
-# range.
-#
-# The station can associate again with the AP if it is still in range;
-# this inactivity poll is just used as a nicer way of verifying
-# inactivity; i.e., client will not report broken connection because
-# disassociation frame is not sent immediately without first polling
-# the STA with a data frame.
-# default: 300 (i.e., 5 minutes)
-ap_max_inactivity=30
-
-# Disassociate stations based on excessive transmission failures or other
-# indications of connection loss. This depends on the driver capabilities and
-# may not be available with all drivers.
-#disassoc_low_ack=1
-
-# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to
-# remain asleep). Default: 65535 (no limit apart from field size)
-#max_listen_interval=100
-
-# WDS (4-address frame) mode with per-station virtual interfaces
-# (only supported with driver=nl80211)
-# This mode allows associated stations to use 4-address frames to allow layer 2
-# bridging to be used.
-#wds_sta=1
-
-# If bridge parameter is set, the WDS STA interface will be added to the same
-# bridge by default. This can be overridden with the wds_bridge parameter to
-# use a separate bridge.
-#wds_bridge=wds-br0
-
-# Client isolation can be used to prevent low-level bridging of frames between
-# associated stations in the BSS. By default, this bridging is allowed.
-#ap_isolate=1
-
-##### IEEE 802.11n related configuration ######################################
-
-# ieee80211n: Whether IEEE 802.11n (HT) is enabled
-# 0 = disabled (default)
-# 1 = enabled
-# Note: You will also need to enable WMM for full HT functionality.
-#ieee80211n=1
-
-# ht_capab: HT capabilities (list of flags)
-# LDPC coding capability: [LDPC] = supported
-# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary
-# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz
-# with secondary channel below the primary channel
-# (20 MHz only if neither is set)
-# Note: There are limits on which channels can be used with HT40- and
-# HT40+. Following table shows the channels that may be available for
-# HT40- and HT40+ use per IEEE 802.11n Annex J:
-# freq HT40- HT40+
-# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
-# 5 GHz 40,48,56,64 36,44,52,60
-# (depending on the location, not all of these channels may be available
-# for use)
-# Please note that 40 MHz channels may switch their primary and secondary
-# channels if needed or creation of 40 MHz channel maybe rejected based
-# on overlapping BSSes. These changes are done automatically when hostapd
-# is setting up the 40 MHz channel.
-# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC]
-# (SMPS disabled if neither is set)
-# HT-greenfield: [GF] (disabled if not set)
-# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set)
-# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set)
-# Tx STBC: [TX-STBC] (disabled if not set)
-# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial
-# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC
-# disabled if none of these set
-# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set)
-# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not
-# set)
-# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set)
-# PSMP support: [PSMP] (disabled if not set)
-# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set)
-#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
-
-# Require stations to support HT PHY (reject association if they do not)
-#require_ht=1
-
-##### IEEE 802.1X-2004 related configuration ##################################
-
-# Require IEEE 802.1X authorization
-ieee8021x=1
-
-# IEEE 802.1X/EAPOL version
-# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
-# version 2. However, there are many client implementations that do not handle
-# the new version number correctly (they seem to drop the frames completely).
-# In order to make hostapd interoperate with these clients, the version number
-# can be set to the older version (1) with this configuration value.
-#eapol_version=2
-
-# Optional displayable message sent with EAP Request-Identity. The first \0
-# in this string will be converted to ASCII-0 (nul). This can be used to
-# separate network info (comma separated list of attribute=value pairs); see,
-# e.g., RFC 4284.
-#eap_message=hello
-#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com
-
-# WEP rekeying (disabled if key lengths are not set or are set to 0)
-# Key lengths for default/broadcast and individual/unicast keys:
-# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
-# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
-#wep_key_len_broadcast=5
-#wep_key_len_unicast=5
-# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
-#wep_rekey_period=300
-
-# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
-# only broadcast keys are used)
-eapol_key_index_workaround=0
-
-# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
-# reauthentication).
-#eap_reauth_period=3600
-
-# Use PAE group address (01:80:c2:00:00:03) instead of individual target
-# address when sending EAPOL frames with driver=wired. This is the most common
-# mechanism used in wired authentication, but it also requires that the port
-# is only used by one station.
-#use_pae_group_addr=1
-
-##### Integrated EAP server ###################################################
-
-# Optionally, hostapd can be configured to use an integrated EAP server
-# to process EAP authentication locally without need for an external RADIUS
-# server. This functionality can be used both as a local authentication server
-# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
-
-# Use integrated EAP server instead of external RADIUS authentication
-# server. This is also needed if hostapd is configured to act as a RADIUS
-# authentication server.
-eap_server=0
-
-# Path for EAP server user database
-#eap_user_file=/etc/hostapd.eap_user
-
-# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
-#ca_cert=/etc/hostapd.ca.pem
-
-# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
-#server_cert=/etc/hostapd.server.pem
-
-# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
-# This may point to the same file as server_cert if both certificate and key
-# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be
-# used by commenting out server_cert and specifying the PFX file as the
-# private_key.
-#private_key=/etc/hostapd.server.prv
-
-# Passphrase for private key
-#private_key_passwd=secret passphrase
-
-# Enable CRL verification.
-# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
-# valid CRL signed by the CA is required to be included in the ca_cert file.
-# This can be done by using PEM format for CA certificate and CRL and
-# concatenating these into one file. Whenever CRL changes, hostapd needs to be
-# restarted to take the new CRL into use.
-# 0 = do not verify CRLs (default)
-# 1 = check the CRL of the user certificate
-# 2 = check all CRLs in the certificate path
-#check_crl=1
-
-# dh_file: File path to DH/DSA parameters file (in PEM format)
-# This is an optional configuration file for setting parameters for an
-# ephemeral DH key exchange. In most cases, the default RSA authentication does
-# not use this configuration. However, it is possible setup RSA to use
-# ephemeral DH key exchange. In addition, ciphers with DSA keys always use
-# ephemeral DH keys. This can be used to achieve forward secrecy. If the file
-# is in DSA parameters format, it will be automatically converted into DH
-# params. This parameter is required if anonymous EAP-FAST is used.
-# You can generate DH parameters file with OpenSSL, e.g.,
-# "openssl dhparam -out /etc/hostapd.dh.pem 1024"
-#dh_file=/etc/hostapd.dh.pem
-
-# Fragment size for EAP methods
-#fragment_size=1400
-
-# Configuration data for EAP-SIM database/authentication gateway interface.
-# This is a text string in implementation specific format. The example
-# implementation in eap_sim_db.c uses this as the UNIX domain socket name for
-# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:"
-# prefix.
-#eap_sim_db=unix:/tmp/hlr_auc_gw.sock
-
-# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
-# random value. It is configured as a 16-octet value in hex format. It can be
-# generated, e.g., with the following command:
-# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
-#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
-
-# EAP-FAST authority identity (A-ID)
-# A-ID indicates the identity of the authority that issues PACs. The A-ID
-# should be unique across all issuing servers. In theory, this is a variable
-# length field, but due to some existing implementations requiring A-ID to be
-# 16 octets in length, it is strongly recommended to use that length for the
-# field to provid interoperability with deployed peer implementations. This
-# field is configured in hex format.
-#eap_fast_a_id=101112131415161718191a1b1c1d1e1f
-
-# EAP-FAST authority identifier information (A-ID-Info)
-# This is a user-friendly name for the A-ID. For example, the enterprise name
-# and server name in a human-readable format. This field is encoded as UTF-8.
-#eap_fast_a_id_info=test server
-
-# Enable/disable different EAP-FAST provisioning modes:
-#0 = provisioning disabled
-#1 = only anonymous provisioning allowed
-#2 = only authenticated provisioning allowed
-#3 = both provisioning modes allowed (default)
-#eap_fast_prov=3
-
-# EAP-FAST PAC-Key lifetime in seconds (hard limit)
-#pac_key_lifetime=604800
-
-# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
-# limit). The server will generate a new PAC-Key when this number of seconds
-# (or fewer) of the lifetime remains.
-#pac_key_refresh_time=86400
-
-# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
-# (default: 0 = disabled).
-#eap_sim_aka_result_ind=1
-
-# Trusted Network Connect (TNC)
-# If enabled, TNC validation will be required before the peer is allowed to
-# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
-# EAP method is enabled, the peer will be allowed to connect without TNC.
-#tnc=1
-
-
-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
-
-# Interface to be used for IAPP broadcast packets
-#iapp_interface=eth0
-
-
-##### RADIUS client configuration #############################################
-# for IEEE 802.1X with external Authentication Server, IEEE 802.11
-# authentication with external ACL for MAC addresses, and accounting
-
-# The own IP address of the access point (used as NAS-IP-Address)
-own_ip_addr=10.1.0.1
-
-# Optional NAS-Identifier string for RADIUS messages. When used, this should be
-# a unique to the NAS within the scope of the RADIUS server. For example, a
-# fully qualified domain name can be used here.
-# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and
-# 48 octets long.
-#nas_identifier=ap.example.com
-
-# RADIUS authentication server
-auth_server_addr=10.1.0.10
-#auth_server_port=1812
-auth_server_shared_secret=gv6URkSs
-
-# RADIUS accounting server
-#acct_server_addr=127.0.0.1
-#acct_server_port=1813
-#acct_server_shared_secret=secret
-
-# Secondary RADIUS servers; to be used if primary one does not reply to
-# RADIUS packets. These are optional and there can be more than one secondary
-# server listed.
-#auth_server_addr=127.0.0.2
-#auth_server_port=1812
-#auth_server_shared_secret=secret2
-#
-#acct_server_addr=127.0.0.2
-#acct_server_port=1813
-#acct_server_shared_secret=secret2
-
-# Retry interval for trying to return to the primary RADIUS server (in
-# seconds). RADIUS client code will automatically try to use the next server
-# when the current server is not replying to requests. If this interval is set,
-# primary server will be retried after configured amount of time even if the
-# currently used secondary server is still working.
-#radius_retry_primary_interval=600
-
-
-# Interim accounting update interval
-# If this is set (larger than 0) and acct_server is configured, hostapd will
-# send interim accounting updates every N seconds. Note: if set, this overrides
-# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
-# value should not be configured in hostapd.conf, if RADIUS server is used to
-# control the interim interval.
-# This value should not be less 600 (10 minutes) and must not be less than
-# 60 (1 minute).
-#radius_acct_interim_interval=600
-
-# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
-# is used for the stations. This information is parsed from following RADIUS
-# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
-# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
-# VLANID as a string). vlan_file option below must be configured if dynamic
-# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be
-# used to set static client MAC address to VLAN ID mapping.
-# 0 = disabled (default)
-# 1 = option; use default interface if RADIUS server does not include VLAN ID
-# 2 = required; reject authentication if RADIUS server does not include VLAN ID
-#dynamic_vlan=0
-
-# VLAN interface list for dynamic VLAN mode is read from a separate text file.
-# This list is used to map VLAN ID from the RADIUS server to a network
-# interface. Each station is bound to one interface in the same way as with
-# multiple BSSIDs or SSIDs. Each line in this text file is defining a new
-# interface and the line must include VLAN ID and interface name separated by
-# white space (space or tab).
-#vlan_file=/etc/hostapd.vlan
-
-# Interface where 802.1q tagged packets should appear when a RADIUS server is
-# used to determine which VLAN a station is on. hostapd creates a bridge for
-# each VLAN. Then hostapd adds a VLAN interface (associated with the interface
-# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
-# to the bridge.
-#vlan_tagged_interface=eth0
-
-
-##### RADIUS authentication server configuration ##############################
-
-# hostapd can be used as a RADIUS authentication server for other hosts. This
-# requires that the integrated EAP server is also enabled and both
-# authentication services are sharing the same configuration.
-
-# File name of the RADIUS clients configuration for the RADIUS server. If this
-# commented out, RADIUS server is disabled.
-#radius_server_clients=/etc/hostapd.radius_clients
-
-# The UDP port number for the RADIUS authentication server
-#radius_server_auth_port=1812
-
-# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
-#radius_server_ipv6=1
-
-
-##### WPA/IEEE 802.11i configuration ##########################################
-
-# Enable WPA. Setting this variable configures the AP to require WPA (either
-# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
-# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
-# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
-# RADIUS authentication server must be configured, and WPA-EAP must be included
-# in wpa_key_mgmt.
-# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
-# and/or WPA2 (full IEEE 802.11i/RSN):
-# bit0 = WPA
-# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
-#wpa=1
-
-# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
-# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
-# (8..63 characters) that will be converted to PSK. This conversion uses SSID
-# so the PSK changes when ASCII passphrase is used and the SSID is changed.
-# wpa_psk (dot11RSNAConfigPSKValue)
-# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
-#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
-#wpa_passphrase=secret passphrase
-
-# Optionally, WPA PSKs can be read from a separate text file (containing list
-# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
-# Use absolute path name to make sure that the files can be read on SIGHUP
-# configuration reloads.
-#wpa_psk_file=/etc/hostapd.wpa_psk
-
-# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
-# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
-# added to enable SHA256-based stronger algorithms.
-# (dot11RSNAConfigAuthenticationSuitesTable)
-#wpa_key_mgmt=WPA-PSK WPA-EAP
-
-# Set of accepted cipher suites (encryption algorithms) for pairwise keys
-# (unicast packets). This is a space separated list of algorithms:
-# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
-# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
-# Group cipher suite (encryption algorithm for broadcast and multicast frames)
-# is automatically selected based on this configuration. If only CCMP is
-# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
-# TKIP will be used as the group cipher.
-# (dot11RSNAConfigPairwiseCiphersTable)
-# Pairwise cipher for WPA (v1) (default: TKIP)
-#wpa_pairwise=TKIP CCMP
-# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
-#rsn_pairwise=CCMP
-
-# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
-# seconds. (dot11RSNAConfigGroupRekeyTime)
-#wpa_group_rekey=600
-
-# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
-# (dot11RSNAConfigGroupRekeyStrict)
-#wpa_strict_rekey=1
-
-# Time interval for rekeying GMK (master key used internally to generate GTKs
-# (in seconds).
-#wpa_gmk_rekey=86400
-
-# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
-# PTK to mitigate some attacks against TKIP deficiencies.
-#wpa_ptk_rekey=600
-
-# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
-# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
-# authentication and key handshake before actually associating with a new AP.
-# (dot11RSNAPreauthenticationEnabled)
-#rsn_preauth=1
-#
-# Space separated list of interfaces from which pre-authentication frames are
-# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
-# interface that are used for connections to other APs. This could include
-# wired interfaces and WDS links. The normal wireless data interface towards
-# associated stations (e.g., wlan0) should not be added, since
-# pre-authentication is only used with APs other than the currently associated
-# one.
-#rsn_preauth_interfaces=eth0
-
-# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
-# allowed. This is only used with RSN/WPA2.
-# 0 = disabled (default)
-# 1 = enabled
-#peerkey=1
-
-# ieee80211w: Whether management frame protection (MFP) is enabled
-# 0 = disabled (default)
-# 1 = optional
-# 2 = required
-#ieee80211w=0
-
-# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
-# (maximum time to wait for a SA Query response)
-# dot11AssociationSAQueryMaximumTimeout, 1...4294967295
-#assoc_sa_query_max_timeout=1000
-
-# Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
-# (time between two subsequent SA Query requests)
-# dot11AssociationSAQueryRetryTimeout, 1...4294967295
-#assoc_sa_query_retry_timeout=201
-
-# disable_pmksa_caching: Disable PMKSA caching
-# This parameter can be used to disable caching of PMKSA created through EAP
-# authentication. RSN preauthentication may still end up using PMKSA caching if
-# it is enabled (rsn_preauth=1).
-# 0 = PMKSA caching enabled (default)
-# 1 = PMKSA caching disabled
-#disable_pmksa_caching=0
-
-# okc: Opportunistic Key Caching (aka Proactive Key Caching)
-# Allow PMK cache to be shared opportunistically among configured interfaces
-# and BSSes (i.e., all configurations within a single hostapd process).
-# 0 = disabled (default)
-# 1 = enabled
-#okc=1
-
-
-##### IEEE 802.11r configuration ##############################################
-
-# Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
-# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the
-# same SSID) between which a STA can use Fast BSS Transition.
-# 2-octet identifier as a hex string.
-#mobility_domain=a1b2
-
-# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID)
-# 1 to 48 octet identifier.
-# This is configured with nas_identifier (see RADIUS client section above).
-
-# Default lifetime of the PMK-RO in minutes; range 1..65535
-# (dot11FTR0KeyLifetime)
-#r0_key_lifetime=10000
-
-# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
-# 6-octet identifier as a hex string.
-#r1_key_holder=000102030405
-
-# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
-# (dot11FTReassociationDeadline)
-#reassociation_deadline=1000
-
-# List of R0KHs in the same Mobility Domain
-# format: <MAC address> <NAS Identifier> <128-bit key as hex string>
-# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC
-# address when requesting PMK-R1 key from the R0KH that the STA used during the
-# Initial Mobility Domain Association.
-#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f
-#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff
-# And so on.. One line per R0KH.
-
-# List of R1KHs in the same Mobility Domain
-# format: <MAC address> <R1KH-ID> <128-bit key as hex string>
-# This list is used to map R1KH-ID to a destination MAC address when sending
-# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD
-# that can request PMK-R1 keys.
-#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f
-#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff
-# And so on.. One line per R1KH.
-
-# Whether PMK-R1 push is enabled at R0KH
-# 0 = do not push PMK-R1 to all configured R1KHs (default)
-# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived
-#pmk_r1_push=1
-
-##### Neighbor table ##########################################################
-# Maximum number of entries kept in AP table (either for neigbor table or for
-# detecting Overlapping Legacy BSS Condition). The oldest entry will be
-# removed when adding a new entry that would make the list grow over this
-# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is
-# enabled, so this field should not be set to 0 when using IEEE 802.11g.
-# default: 255
-#ap_table_max_size=255
-
-# Number of seconds of no frames received after which entries may be deleted
-# from the AP table. Since passive scanning is not usually performed frequently
-# this should not be set to very small value. In addition, there is no
-# guarantee that every scan cycle will receive beacon frames from the
-# neighboring APs.
-# default: 60
-#ap_table_expiration_time=3600
-
-
-##### Wi-Fi Protected Setup (WPS) #############################################
-
-# WPS state
-# 0 = WPS disabled (default)
-# 1 = WPS enabled, not configured
-# 2 = WPS enabled, configured
-#wps_state=2
-
-# AP can be configured into a locked state where new WPS Registrar are not
-# accepted, but previously authorized Registrars (including the internal one)
-# can continue to add new Enrollees.
-#ap_setup_locked=1
-
-# Universally Unique IDentifier (UUID; see RFC 4122) of the device
-# This value is used as the UUID for the internal WPS Registrar. If the AP
-# is also using UPnP, this value should be set to the device's UPnP UUID.
-# If not configured, UUID will be generated based on the local MAC address.
-#uuid=12345678-9abc-def0-1234-56789abcdef0
-
-# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
-# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the
-# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of
-# per-device PSKs is recommended as the more secure option (i.e., make sure to
-# set wpa_psk_file when using WPS with WPA-PSK).
-
-# When an Enrollee requests access to the network with PIN method, the Enrollee
-# PIN will need to be entered for the Registrar. PIN request notifications are
-# sent to hostapd ctrl_iface monitor. In addition, they can be written to a
-# text file that could be used, e.g., to populate the AP administration UI with
-# pending PIN requests. If the following variable is set, the PIN requests will
-# be written to the configured file.
-#wps_pin_requests=/var/run/hostapd_wps_pin_requests
-
-# Device Name
-# User-friendly description of device; up to 32 octets encoded in UTF-8
-#device_name=Wireless AP
-
-# Manufacturer
-# The manufacturer of the device (up to 64 ASCII characters)
-#manufacturer=Company
-
-# Model Name
-# Model of the device (up to 32 ASCII characters)
-#model_name=WAP
-
-# Model Number
-# Additional device description (up to 32 ASCII characters)
-#model_number=123
-
-# Serial Number
-# Serial number of the device (up to 32 characters)
-#serial_number=12345
-
-# Primary Device Type
-# Used format: <categ>-<OUI>-<subcateg>
-# categ = Category as an integer value
-# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
-# default WPS OUI
-# subcateg = OUI-specific Sub Category as an integer value
-# Examples:
-# 1-0050F204-1 (Computer / PC)
-# 1-0050F204-2 (Computer / Server)
-# 5-0050F204-1 (Storage / NAS)
-# 6-0050F204-1 (Network Infrastructure / AP)
-#device_type=6-0050F204-1
-
-# OS Version
-# 4-octet operating system version number (hex string)
-#os_version=01020300
-
-# Config Methods
-# List of the supported configuration methods
-# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
-# nfc_interface push_button keypad virtual_display physical_display
-# virtual_push_button physical_push_button
-#config_methods=label virtual_display virtual_push_button keypad
-
-# WPS capability discovery workaround for PBC with Windows 7
-# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting
-# as a Registrar and using M1 from the AP. The config methods attribute in that
-# message is supposed to indicate only the configuration method supported by
-# the AP in Enrollee role, i.e., to add an external Registrar. For that case,
-# PBC shall not be used and as such, the PushButton config method is removed
-# from M1 by default. If pbc_in_m1=1 is included in the configuration file,
-# the PushButton config method is left in M1 (if included in config_methods
-# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label
-# in the AP).
-#pbc_in_m1=1
-
-# Static access point PIN for initial configuration and adding Registrars
-# If not set, hostapd will not allow external WPS Registrars to control the
-# access point. The AP PIN can also be set at runtime with hostapd_cli
-# wps_ap_pin command. Use of temporary (enabled by user action) and random
-# AP PIN is much more secure than configuring a static AP PIN here. As such,
-# use of the ap_pin parameter is not recommended if the AP device has means for
-# displaying a random PIN.
-#ap_pin=12345670
-
-# Skip building of automatic WPS credential
-# This can be used to allow the automatically generated Credential attribute to
-# be replaced with pre-configured Credential(s).
-#skip_cred_build=1
-
-# Additional Credential attribute(s)
-# This option can be used to add pre-configured Credential attributes into M8
-# message when acting as a Registrar. If skip_cred_build=1, this data will also
-# be able to override the Credential attribute that would have otherwise been
-# automatically generated based on network configuration. This configuration
-# option points to an external file that much contain the WPS Credential
-# attribute(s) as binary data.
-#extra_cred=hostapd.cred
-
-# Credential processing
-# 0 = process received credentials internally (default)
-# 1 = do not process received credentials; just pass them over ctrl_iface to
-# external program(s)
-# 2 = process received credentials internally and pass them over ctrl_iface
-# to external program(s)
-# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and
-# extra_cred be used to provide the Credential data for Enrollees.
-#
-# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file
-# both for Credential processing and for marking AP Setup Locked based on
-# validation failures of AP PIN. An external program is responsible on updating
-# the configuration appropriately in this case.
-#wps_cred_processing=0
-
-# AP Settings Attributes for M7
-# By default, hostapd generates the AP Settings Attributes for M7 based on the
-# current configuration. It is possible to override this by providing a file
-# with pre-configured attributes. This is similar to extra_cred file format,
-# but the AP Settings attributes are not encapsulated in a Credential
-# attribute.
-#ap_settings=hostapd.ap_settings
-
-# WPS UPnP interface
-# If set, support for external Registrars is enabled.
-#upnp_iface=br0
-
-# Friendly Name (required for UPnP)
-# Short description for end use. Should be less than 64 characters.
-#friendly_name=WPS Access Point
-
-# Manufacturer URL (optional for UPnP)
-#manufacturer_url=http://www.example.com/
-
-# Model Description (recommended for UPnP)
-# Long description for end user. Should be less than 128 characters.
-#model_description=Wireless Access Point
-
-# Model URL (optional for UPnP)
-#model_url=http://www.example.com/model/
-
-# Universal Product Code (optional for UPnP)
-# 12-digit, all-numeric code that identifies the consumer package.
-#upc=123456789012
-
-##### Wi-Fi Direct (P2P) ######################################################
-
-# Enable P2P Device management
-#manage_p2p=1
-
-# Allow cross connection
-#allow_cross_connection=1
-
-#### TDLS (IEEE 802.11z-2010) #################################################
-
-# Prohibit use of TDLS in this BSS
-#tdls_prohibit=1
-
-# Prohibit use of TDLS Channel Switching in this BSS
-#tdls_prohibit_chan_switch=1
-
-##### IEEE 802.11v-2011 #######################################################
-
-# Time advertisement
-# 0 = disabled (default)
-# 2 = UTC time at which the TSF timer is 0
-#time_advertisement=2
-
-# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004:
-# stdoffset[dst[offset][,start[/time],end[/time]]]
-#time_zone=EST5
-
-##### IEEE 802.11u-2011 #######################################################
-
-# Enable Interworking service
-#interworking=1
-
-# Access Network Type
-# 0 = Private network
-# 1 = Private network with guest access
-# 2 = Chargeable public network
-# 3 = Free public network
-# 4 = Personal device network
-# 5 = Emergency services only network
-# 14 = Test or experimental
-# 15 = Wildcard
-#access_network_type=0
-
-# Whether the network provides connectivity to the Internet
-# 0 = Unspecified
-# 1 = Network provides connectivity to the Internet
-#internet=1
-
-# Additional Step Required for Access
-# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if
-# RSN is used.
-#asra=0
-
-# Emergency services reachable
-#esr=0
-
-# Unauthenticated emergency service accessible
-#uesa=0
-
-# Venue Info (optional)
-# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34.
-# Example values (group,type):
-# 0,0 = Unspecified
-# 1,7 = Convention Center
-# 1,13 = Coffee Shop
-# 2,0 = Unspecified Business
-# 7,1 Private Residence
-#venue_group=7
-#venue_type=1
-
-# Homogeneous ESS identifier (optional; dot11HESSID)
-# If set, this shall be identifical to one of the BSSIDs in the homogeneous
-# ESS and this shall be set to the same value across all BSSs in homogeneous
-# ESS.
-#hessid=02:03:04:05:06:07
-
-# Roaming Consortium List
-# Arbitrary number of Roaming Consortium OIs can be configured with each line
-# adding a new OI to the list. The first three entries are available through
-# Beacon and Probe Response frames. Any additional entry will be available only
-# through ANQP queries. Each OI is between 3 and 15 octets and is configured a
-# a hexstring.
-#roaming_consortium=021122
-#roaming_consortium=2233445566
-
-##### Multiple BSSID support ##################################################
-#
-# Above configuration is using the default interface (wlan#, or multi-SSID VLAN
-# interfaces). Other BSSIDs can be added by using separator 'bss' with
-# default interface name to be allocated for the data packets of the new BSS.
-#
-# hostapd will generate BSSID mask based on the BSSIDs that are
-# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is
-# not the case, the MAC address of the radio must be changed before starting
-# hostapd (ifconfig wlan0 hw ether <MAC addr>). If a BSSID is configured for
-# every secondary BSS, this limitation is not applied at hostapd and other
-# masks may be used if the driver supports them (e.g., swap the locally
-# administered bit)
-#
-# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is
-# specified using the 'bssid' parameter.
-# If an explicit BSSID is specified, it must be chosen such that it:
-# - results in a valid MASK that covers it and the dev_addr
-# - is not the same as the MAC address of the radio
-# - is not the same as any other explicitly specified BSSID
-#
-# Please note that hostapd uses some of the values configured for the first BSS
-# as the defaults for the following BSSes. However, it is recommended that all
-# BSSes include explicit configuration of all relevant configuration items.
-#
-#bss=wlan0_0
-#ssid=test2
-# most of the above items can be used here (apart from radio interface specific
-# items, like channel)
-
-#bss=wlan0_1
-#bssid=00:13:10:95:fe:0b
-# ...
diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
deleted file mode 100644
index b55e0457c..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::killall wpa_supplicant
-dave::killall wpa_supplicant
-moon::killall hostapd
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
deleted file mode 100644
index 4dbff64a3..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-moon::hostapd -B /etc/hostapd/hostapd.conf
-carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-carol::sleep 4
-dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-dave::sleep 4
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql
new file mode 100644
index 000000000..548c101e4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql
@@ -0,0 +1,39 @@
+/* SW Identifiers */
+
+INSERT INTO sw_identifiers (
+ name, package, version, source, installed
+) VALUES (
+ 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libutempter0-1.1.5', 'libutempter0', '1.1.5', 1, 0
+);
+
+INSERT INTO sw_identifiers (
+ name, package, version, source, installed
+) VALUES (
+ 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libevent-2.0-5-2.0.20', 'libevent-2.0-5', '2.0.20', 1, 0
+);
+
+INSERT INTO sw_identifiers (
+ name, package, version, source, installed
+) VALUES (
+ 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-tmux-2.2', 'tmux', '2.2', 1, 0
+);
+
+/* SW Events */
+
+INSERT INTO sw_events (
+ eid, sw_id, action
+) VALUES (
+ 2, 1, 2
+);
+
+INSERT INTO sw_events (
+ eid, sw_id, action
+) VALUES (
+ 2, 2, 2
+);
+
+INSERT INTO sw_events (
+ eid, sw_id, action
+) VALUES (
+ 2, 3, 2
+);
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
index c0049d7fd..5d0602c15 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
@@ -1,6 +1,7 @@
carol::ip route del 10.1.0.0/16 via 192.168.0.1
dave::ip route del 10.1.0.0/16 via 192.168.0.1
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+carol::rm /etc/pts/collector.sql
alice::systemctl stop strongswan-swanctl
alice::systemctl stop apache2
alice::rm /etc/swanctl/rsa/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt
deleted file mode 100644
index 8bf1543d2..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>. The Dummy IMC and IMV from the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-</p>
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
deleted file mode 100644
index bf0732604..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index aa4934fb1..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imc = 2
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
deleted file mode 100644
index 3ef780933..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 8fc1c8729..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
- syslog {
- daemon {
- tnc = 3
- imc = 2
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
deleted file mode 100644
index 8eee8068a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4732fbd4b..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imv = 2
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- phase2_tnc = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 1238c1a91..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap-carol {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
- }
- eap-dave {
- id = dave@strongswan.org
- secret = "W7R0g3do"
- }
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
deleted file mode 100644
index d8215dd3c..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
+++ /dev/null
@@ -1,40 +0,0 @@
-#FTP - File Transfer Protocol
-TCP 20 = whatever
-TCP 21 = close
-
-#SSH - Secure Shell
-TCP 22 = whatever
-
-#Telnet
-TCP 23 = close
-
-#E-Mail
-#
-#SMTP - Simple Mail Transfer Protocol
-TCP 25 = close
-TCP 587 = close
-#POP3 - Post Office Protocol version 3
-TCP 110 = close
-TCP 995 = close
-
-#DNS - Domain Name System
-UDP 53 = close
-TCP 53 = close
-
-#BOOTP/DHCP - Bootstrap Protocol /
-#Dynamic Host Configuration Protocol
-UDP 67 = close
-#UDP 68 = open
-UDP 68 = whatever
-
-#www - World Wide Web
-#HTTP - Hypertext Transfer Protocol
-TCP 80 = close
-#HTTPS - Hypertext Transfer Protocol Secure
-TCP 443 = close
-
-#examples
-TCP 8080 = close
-TCP 5223 = whatever
-UDP 4444 = close
-UDP 631 = whatever
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
deleted file mode 100644
index 122d798b3..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
deleted file mode 100644
index fa4324e38..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
index 4075f75bd..cd5056e83 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Files>
</Directory>
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 1dc8b5688..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1 +0,0 @@
-Include sites-available/000-default.conf \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
index 4075f75bd..cd5056e83 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Files>
</Directory>
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 1dc8b5688..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1 +0,0 @@
-Include sites-available/000-default.conf \ No newline at end of file