summaryrefslogtreecommitdiff
path: root/testing
diff options
context:
space:
mode:
Diffstat (limited to 'testing')
-rw-r--r--testing/Makefile.in5
-rw-r--r--testing/config/kernel/config-3.182165
-rw-r--r--testing/config/kernel/config-3.192181
-rw-r--r--testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.derbin0 -> 1310 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261bin1190 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192ebbin0 -> 1212 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1bin1212 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491abin0 -> 1188 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2dabin1188 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488bin1210 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329fbin0 -> 1210 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3dbin0 -> 1190 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/duckCert.pem36
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/duckKey.pem50
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/index.txt2
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem36
-rwxr-xr-xtesting/hosts/winnetou/etc/openssl/generate-crl4
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt3
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt.old3
-rw-r--r--testing/hosts/winnetou/etc/openssl/newcerts/32.pem25
-rw-r--r--testing/hosts/winnetou/etc/openssl/ocspCert.pem30
-rw-r--r--testing/hosts/winnetou/etc/openssl/ocspKey.pem50
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/index.txt3
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/index.txt.old3
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem23
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/serial.old2
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/.randbin1024 -> 1024 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/index.txt12
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old10
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem28
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem28
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf15
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/serial.old2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial.old2
-rwxr-xr-xtesting/scripts/build-baseimage2
-rw-r--r--testing/scripts/recipes/013_strongswan.mk5
-rw-r--r--testing/tests/ha/both-active/description.txt4
-rw-r--r--testing/tests/ikev1/double-nat-net/evaltest.dat4
-rw-r--r--testing/tests/ikev1/double-nat/evaltest.dat4
-rw-r--r--testing/tests/ikev1/nat-rw/evaltest.dat8
-rwxr-xr-xtesting/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown93
-rw-r--r--testing/tests/ikev1/net2net-fragmentation/evaltest.dat4
-rw-r--r--testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem27
-rw-r--r--testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem27
-rw-r--r--testing/tests/ikev2/double-nat-net/evaltest.dat4
-rw-r--r--testing/tests/ikev2/double-nat/evaltest.dat4
-rw-r--r--testing/tests/ikev2/forecast/description.txt8
-rw-r--r--testing/tests/ikev2/forecast/evaltest.dat20
-rw-r--r--testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf16
-rw-r--r--testing/tests/ikev2/forecast/posttest.dat6
-rw-r--r--testing/tests/ikev2/forecast/pretest.dat7
-rw-r--r--testing/tests/ikev2/forecast/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/description.txt8
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/evaltest.dat7
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf18
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/posttest.dat5
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/pretest.dat11
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/description.txt3
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/evaltest.dat13
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/pretest.dat1
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat8
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem36
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem50
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem36
-rw-r--r--testing/tests/ikev2/nat-rw-mark/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown300
-rw-r--r--testing/tests/ikev2/nat-rw-psk/evaltest.dat6
-rw-r--r--testing/tests/ikev2/nat-rw/evaltest.dat8
-rwxr-xr-xtesting/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown94
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/description.txt7
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/evaltest.dat9
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/posttest.dat5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/pretest.dat6
-rw-r--r--[-rwxr-xr-x]testing/tests/ikev2/net2net-cert-sha2/test.conf (renamed from testing/tests/swanctl/net2net-cert-ipv6/test.conf)2
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-fragmentation/evaltest.dat4
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem36
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem50
-rwxr-xr-xtesting/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown48
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt8
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat7
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat4
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat6
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf21
-rw-r--r--testing/tests/ikev2/reauth-mbb/description.txt7
-rw-r--r--testing/tests/ikev2/reauth-mbb/evaltest.dat7
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-mbb/posttest.dat4
-rw-r--r--testing/tests/ikev2/reauth-mbb/pretest.dat6
-rw-r--r--testing/tests/ikev2/reauth-mbb/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-dynamic/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown296
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/description.txt15
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/evaltest.dat26
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.derbin0 -> 2172 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.derbin0 -> 1182 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.derbin0 -> 2173 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.derbin0 -> 1310 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.derbin0 -> 2190 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.derbin0 -> 1310 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/posttest.dat9
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/pretest.dat13
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/test.conf21
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-sig-auth/description.txt10
-rw-r--r--testing/tests/ikev2/rw-sig-auth/evaltest.dat20
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf30
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-sig-auth/pretest.dat12
-rw-r--r--testing/tests/ikev2/rw-sig-auth/test.conf26
-rw-r--r--testing/tests/ikev2/rw-whitelist/evaltest.dat4
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem36
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem50
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem34
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem50
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem34
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem50
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rwxr-xr-xtesting/tests/libipsec/host2host-cert/hosts/moon/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/host2host-cert/hosts/sun/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-3des/hosts/moon/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-3des/hosts/sun/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-cert/hosts/moon/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-cert/hosts/sun/etc/updown303
-rw-r--r--testing/tests/libipsec/rw-suite-b/evaltest.dat6
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/carol/etc/updown311
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/dave/etc/updown311
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/moon/etc/updown311
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem27
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem27
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat4
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf1
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat2
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat2
-rw-r--r--testing/tests/sql/rw-eap-aka-rsa/evaltest.dat2
-rw-r--r--testing/tests/sql/rw-psk-rsa-split/evaltest.dat2
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/description.txt6
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/evaltest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf35
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf35
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/posttest.dat11
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/pretest.dat16
-rw-r--r--testing/tests/tkm/host2host-initiator/evaltest.dat4
-rw-r--r--testing/tests/tkm/host2host-xfrmproxy/evaltest.dat1
-rw-r--r--testing/tests/tkm/multiple-clients/evaltest.dat3
-rw-r--r--testing/tests/tkm/net2net-xfrmproxy/evaltest.dat1
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/description.txt6
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/evaltest.dat22
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.derbin0 -> 1191 bytes
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.derbin0 -> 956 bytes
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf21
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf21
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/posttest.dat5
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/pretest.dat12
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/description.txt10
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/evaltest.dat10
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/posttest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/pretest.dat12
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/description.txt9
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat5
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/posttest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/pretest.dat8
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/description.txt3
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat11
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt3
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf3
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options8
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf16
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf9
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat1
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat4
290 files changed, 7916 insertions, 3307 deletions
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c151a87d3..b66c2be76 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/testing/config/kernel/config-3.18 b/testing/config/kernel/config-3.18
new file mode 100644
index 000000000..345d4f52f
--- /dev/null
+++ b/testing/config/kernel/config-3.18
@@ -0,0 +1,2165 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.18.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_GENEVE is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+# CONFIG_NET_DSA_MV88E6171 is not set
+# CONFIG_NET_DSA_BCM_SF2 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_XGENE is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+# CONFIG_INT340X_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SOC_TI is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_DRBG_MENU is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
diff --git a/testing/config/kernel/config-3.19 b/testing/config/kernel/config-3.19
new file mode 100644
index 000000000..8520b3155
--- /dev/null
+++ b/testing/config/kernel/config-3.19
@@ -0,0 +1,2181 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.19.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_INIT_FALLBACK=y
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_UP_APIC_MSI=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_GENEVE is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+# CONFIG_NET_DSA_MV88E6171 is not set
+# CONFIG_NET_DSA_MV88E6352 is not set
+# CONFIG_NET_DSA_BCM_SF2 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_XGENE is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+# CONFIG_INT340X_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_DRBG_MENU is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der
new file mode 100644
index 000000000..76cafc198
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
deleted file mode 100644
index c98775369..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb
new file mode 100644
index 000000000..016c4125d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
deleted file mode 100644
index 0f2a0ec8d..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a
new file mode 100644
index 000000000..1a40299f2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
deleted file mode 100644
index 489030d9f..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
deleted file mode 100644
index 863f65237..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f
new file mode 100644
index 000000000..49f4ad719
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d
new file mode 100644
index 000000000..267516b0c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
index 5fff90708..a5b46cc6c 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNuMfyRDsc7m1KRDVt8N4h/
-EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKaub5AgsRa2fOOR9xfyf0Q
-7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsOUHOJAPZNoGPey5UL9Zjj
-sN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKDh/pliP7uZANd0ZpPcrIc
-68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeYi9wFLnS2tgV3ID4LzEEI
-CSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQABAoIBADfb0r6cpnRsnSKF
-5RBfReyu6vo4GB0lNGSeRqFRgivU+vMoiG2S58t7AQi2FyTNYbNDFdh31LS8WLbI
-OkWv2HehijN4FO4pqmI9JtSHnbLNJEHEizDBTASLz/9irisX3HCXMVORh4oEb2Ko
-QdmulOjePSJDZbLv6H/JI0bpYsgiAw26KEoB8cnHwiApF69a4uPJA6gW98nsabyq
-9NQVW5QAmUFDnzA6upFRBUeBBpufYMvP82zfntFx72yLBmXgBnyZW23WwZfQZSzw
-FChhl40mwykOE8jpeGgxmdWyPc29roF+kuvaOUaSF2nmyl4qhLCISdr0eHXHAGDH
-2RjVJ6ECgYEA0YW38d4309J1QegK5vhPWehnxpZHpK86DENevYaS7zRcCu1BRZc0
-aBAceTYCZHYofOWmeIns0qtMfzzuemPCiOZWy9VYgJrJ0YkmNin3DM1/13pWiKqn
-EkQCFa6K5AiB0umTOwJoAHlJYlJ2k4bw7Rm/LtiHC2fnRq2KJeKmg60CgYEAyP30
-5D8sUkih9rRfZRHAPo0x1qJpJQC+cFUBMIuOXFIz37TqbZcGDkRRb+ewywNxT73t
-TfVDvR7tD3cYTi78dVz539Dwl9mt10QLGsQJ4825uY/LQqUe8F2qz+E3lWqoo+yJ
-WlTAqbHI2a4g4CjFC4/+i6lKQ+NpmJLZIPz3HAUCgYEAiduy4Ti2gPAb6OZ1re05
-wM1y4q5kq04EIqd9QbS3Hx7TZPkgllpbyBC5u2M3BcTc9PjhpLQTl7XQGnQL8YmM
-KSlteKaCmfO+0NitxLut6sWX1T6Qi1HFpfYLbRqwFkQmr5CyKAR4S7+B8miRzpXe
-FhN3wKoFiRKvkMiEelL7/u0CgYEAnh4TWsBL+MuFBxTs+xDU4SCotYZ9GwwTxUFK
-N0uCiiRtBK9JwT8PF4gtXNCzZ3Jk4Ou0VSD+0jgTHJh/eXpDR30GYkn4DC3GMdQo
-vDy+3wSH+HAj4mEODuBRMUqnNJd85cB+aZ7FFnpzXLQ8zrukEC2OfYaHkxLDjrDv
-uaDoMZUCgYEAhD89Cj849LXbJEmjX0MGUCCBO9EBR2Ux2nbuB+TQnvwz7VT0Jkds
-Db1IfljoDefqzyFfH/0Z3bNg4EpidAG3BMC4MwY7WzR1rfnXwNluaWM5gmUzFNw0
-mBGXonIf6nRMIO9eeTFI8VfFb6BYvosNxz+9QA/5rpamGN1cKdMjgPc=
+MIIEpQIBAAKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPzw6tqtEkIdftEawgc5gvl
+C80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw1duoY7NE+RZwODEsWVgn
+DRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IRIcEfZeAv7URGz7xdrzmK
+/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX7mdNHnpjcwT9/ruyOaNQ
+0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0wF0Bc9lZxnv9ppYgBPsOT
+jE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQABAoIBADxEv72xBkCinBEt
+ExPeXLnb7ADwC6MZuoFbbHtsv+YWFC84YaIHhJlY8ldvUPa4y+SuFCVAZI7d76uE
+iRrYEzqKNuzWPuRcMwjI2beOmzFrlO6UePKZ3R/7EhoA6oSmX2U4Wr0R7eEKrgi8
+w9no5NIr6Ota8mQBsDDeWoGjBZReLHcagK3P+LG7B9EfMbdedd4c+sAYypmbhjvf
+pj2AE08D/eI1j9Jd0w9J4oVNel1p7iYT5wYnZzdHcJdAWHlzFrKFQVVfJBBviskX
+dm8GUOP0ZdOc0xYAyVcFAyu1x0JBkrFM5zOs6UAsRSzP5PQ/J8VFK7BQAv9/TX1D
+eZi2DwECgYEA3mPpG0VRsZXDF63KlWnCn7cl6i+CAhMxYVCVn8RwBGc7Q8Xtw+9b
+y7VktDGTcgcZIxDh/T17FBAn2ZL28tbssRxnRD+lQG1pf86RKLU+HXQ4Ppt7CbA0
+G2oV7+qxA2At3yknHmeIyvzBp+OuCc2XboOhshN5ncgMXl9EzRsCilUCgYEA2EPT
+dXf57rG4k9mcjdohIdutBB+mOXS8K9fbg+V/l+bmGxINWKxF4w2N3pulw4380TRr
+caYI7dxjpmCopnxNEhBiyOuBOEEqdGxdm69CNSO/hFDE92pQECl+6+AIa9Kv/Z3+
+Wdxwo447xgz1wDclhEcVW9rD6sAshpLQREOvIMcCgYEAjxrDmeTVWO0CCW6v+c2A
+i74TC8teYW9wSyrL3W9OlcbIACiRg4+3BjLHhpyQQMQIjOQESC0T0ilDO2KyvjlH
+PgEFAoniEL9XMAMAra1TNyjeOItcdTOJlEqDq0redUmiuwOERLBi+hwDkcGU8IH3
+fAoANtMJY1qjeubbIxDKZbECgYEAleJkMtzFBq57m1TNkO6l2d5zShFZVibWp5hC
+Fma/iJrJzec0Asna4eMp+Sdsuly05JVtBeYp+Bivo8cH++LYU3Wx0UiPVVqsvuW/
+9r9/pm6xNFX6PPOcq6bmxTmO/JOXz7FpcAQ8uM5CFSA0TlSqFsRhRDkZYaBw+4/S
+8gzq2k8CgYEAz/0eK0YPxxh4NHwXVWEsMeTDmC37BmoXU5oOmcgFHmhWXFSvvJLn
+OB5QojTUuEsU9soHqk8F5oCt8DTz/LkJt+lygcSZ+qDOLJ0c9fGxDIp0s3HxiX4G
+BwiYDDqLzFNi6TOQsk15rWWVC9W+PaxsfkrdewvW4ZT695ZWxsKAHP8=
-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt b/testing/hosts/winnetou/etc/openssl/duck/index.txt
index 759a85b80..70a88fcbb 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/duck/index.txt
@@ -1 +1 @@
-V 141103162335Z 01 unknown /C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
+V 190225221822Z 01 unknown /C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 839816bf5..f064bdb0b 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -44,4 +44,6 @@ cd /etc/openssl/rfc3779
openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
cp strongswan_rfc3779.crl ${ROOT}
-
+cd /etc/openssl/bliss
+pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl
+cp strongswan_bliss.crl ${ROOT}
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 49264a5ee..ba3349cf9 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -27,7 +27,7 @@ R 140826100818Z 140827143358Z,superseded 1A unknown /C=CH/O=Linux strongSwan/OU=
R 140826103106Z 090827103405Z,keyCompromise 1B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
R 140826103739Z 140827143427Z,superseded 1C unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
R 140826104451Z 140827143432Z,superseded 1D unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R 141123125153Z 141128194312Z,superseded 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
@@ -47,3 +47,4 @@ V 190826145626Z 2E unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongsw
R 190826150222Z 140827150343Z,keyCompromise 2F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 190826150536Z 30 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 190826151202Z 31 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V 191127201436Z 32 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index cd5ddfd6b..b3ff1c581 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -27,7 +27,7 @@ R 140826100818Z 140827143358Z,superseded 1A unknown /C=CH/O=Linux strongSwan/OU=
R 140826103106Z 090827103405Z,keyCompromise 1B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
R 140826103739Z 140827143427Z,superseded 1C unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
R 140826104451Z 140827143432Z,superseded 1D unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R 141123125153Z 141128194312Z,superseded 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
@@ -46,3 +46,4 @@ V 190826145436Z 2D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswa
V 190826145626Z 2E unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
R 190826150222Z 140827150343Z,keyCompromise 2F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 190826150536Z 30 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V 190826151202Z 31 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/32.pem b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem
new file mode 100644
index 000000000..f7c90d302
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
+U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br
+9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9
+7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC
+J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7
+SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F
+55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h
+AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
+DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
+d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
+b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
+MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA
+tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4
+8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8
+SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO
+bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx
+Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
index f84d1a877..f7c90d302 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIEQzCCAyugAwIBAgIBHjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MTEyNDEyNTE1M1oXDTE0MTEyMzEyNTE1M1owZzELMAkGA1UE
+b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8BT5LvsaxM0gOw9QM74ML
-vbxXXxTv9W0L//oBnPohbVyueSl0/r2rcIeYa0g1eePgwRRBHwr356Om2mv/zXTp
-lQA4qtY6YMZkoeYCOVhO/fJ4CGO213qWeWIYOe4njTuiPUiI20PWancgaic5UOAC
-UBnyes94I5kB1OWx0THma4Sv0HdBRoWwO+ZqAA87fpV/Wagi6ElJBcjLbO5Hpy3J
-dFvrjNWZwuJw2+qHQ4QOT4McpusfIjgXaZtyEpVIcbJ7knNSq+MapdP0RBS6wzXa
-kWx9tMIAB9gKUfENTNl60ZnmqI0KgKiR3Yqia/bbsD7JcangOcOjWA2H0LKnnLdp
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br
+9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9
+7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC
+J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7
+SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F
+55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h
AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
-NJFukTK/NSVDzCh074LCV5J5E3MwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
-Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBteNdmkKbr3bUJSKTaJ/qssbyPjL7MjAmi
-QA1sSq5yIh7Ir23xEq/XQFF51N2yDNuXhLYk1fWou8BL+X9x97BlQkp9/nZ+BdJG
-uH2zOUxcsfq57jtwMzlXGrmVUTMAJRtMqrSnVa9jbW+IF2p/sJfeSRRqJ2qwQoDW
-ppvvBF4RfdWOVCCidtRmWKycEtP1ylSYyiHswVWhL2gLXQRQ0l5wJdgT2URRDopC
-CBiE5mHOWn17gTWQw9SdGbY37o9jXNrY8GRgOeubHFRmdXa1Cli5P5HhIZygUBWX
-tn5BvNDEIUz11/AT+HfpdMSKDiAXMq44wqWoYoUXsaLTIp+Vt6NM
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA
+tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4
+8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8
+SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO
+bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx
+Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
index d25396b09..13a81f29d 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvAU+S77GsTNIDsPUDO+DC728V18U7/VtC//6AZz6IW1crnkp
-dP69q3CHmGtINXnj4MEUQR8K9+ejptpr/8106ZUAOKrWOmDGZKHmAjlYTv3yeAhj
-ttd6lnliGDnuJ407oj1IiNtD1mp3IGonOVDgAlAZ8nrPeCOZAdTlsdEx5muEr9B3
-QUaFsDvmagAPO36Vf1moIuhJSQXIy2zuR6ctyXRb64zVmcLicNvqh0OEDk+DHKbr
-HyI4F2mbchKVSHGye5JzUqvjGqXT9EQUusM12pFsfbTCAAfYClHxDUzZetGZ5qiN
-CoCokd2Komv227A+yXGp4DnDo1gNh9Cyp5y3aQIDAQABAoIBACKheJrs9Z3XyzLl
-AN6tEt8LwG/7VFjqRH6MVFkNt8iGYybDrE4fSYIVRPRe9jrbS4yvI3LnK9cDdFIc
-Mv43sov/ZL4LQVAZWRFZ/Ip2U3yhK5LOQMeBotOqYdYCfYoNaml0jjKe6DzK+Uwg
-IT9eVRQ3+r99vU7sh5cdxnzdAirlXAGdy2QxdF1lyC/49H6jxS7qxuxHPqI0P8VR
-9xVKIXaAKaxcijg47slC386/yEbO96morZuJX+F+iaQ37T0nV3tTergbwDtit3xo
-cOdsHan9zGHE1ayKh8DkBinD+BpiLZdapRvcSm2wAKlamXfI3GIAB5r/3B1NW9yb
-rsThgc0CgYEA4CN+fNaFYQmLMK33wZfXvcadaktSWWXmnqPVLIWRddUH3SA5qEJB
-RwuuLgcfmlmZqBqSOj4pDTtAoNooqA9Ryi0Ugzpvmn5iPevfixQoLix4mn1/bvbF
-bo4CX7Vb7mUdfXpu7PwVNALNfaW6fgKM79LoqX4yZ4k/yFuYl+JTIGcCgYEA1r9k
-mTi/5royyVX0vV7uwyKrXQ8VRVhnVeT2nG1KkuQqUraUQG8WD9J9uxvbZxhsrax1
-Hg1iCAobzlEL2XoX2y+dN+81o2tm9qcy3L7+g6M/+7nQmU+fbGdBkcWq72dZC4ev
-K6grD+gl0uQmdVc7m+3lErojNAlvxTSK1BKrR68CgYA2CxjijO8YGK8BC9FjUnNo
-hM1L5eFzQMi8k5BA7evG15jPzodYdLE8qipTWtBZ7STJja6YcIiBcjoBDtkivJ7h
-+sCpa5uhSrvxZkA+Tpvpljt2NLBXVxT/tSoJXbdO4f6cVLsOVTHfmpVlqGIxI/hL
-kzUaOR16LXO9oahHZwDYHQKBgHPg60PS35p9NxJ1k47sPyKE/rtEfFHjFj+/QWO/
-hdIl1MC1TOJIDzuSdc4Vhhrnjx1YRgplZlS4P7DhAufjfiQEWW3pYqRAPFs0dbmw
-Rl56JPiMmAdic8BnJ3all0uAFQinutpv8Gyw9FgMTMRcwgmuIUIttvlJbkqXw6IU
-QOB5AoGBAJkTG5alPABxJG9ZuEE+iWCPAV1671FXT115D5wlKOY3CImuhsEW085X
-uGZz7WDZWFZJres8RiRlpK035MAg6lUG3trC9+wOluRNehT6h0Vwru8TxjLBxPcc
-yjdSVDH61FQLSKWIGLH9VVLX03NXqi3qxVGrrulUSW5h/HR2s3f7
+MIIEowIBAAKCAQEAnBCl4HGp6T6CzAsRS8dQa/VmCRh8TCIunhnxxxTmwOeg6Q8R
+FH0QPPMLzoHKvz8UowCWS3jzvVUC1PrHSvfrveyDX+wDEOwkkXx4JIxALdkiuIlg
+JNNSPee6ncG7007Ab5hAIiraqUFXCm5KJMdXQie6aweE4yVkJcYoTAH4EUBF/BFh
+NXNr5s0PH1ZBHN+xP5FqcA2JSrVYnZ/ja7eY+0rhPhymThPc3NoUV1PSBP+YYB5j
+3dLCJJrrE2Kq/n3nkt8ehX4lp/8SDJX+Hk0OheeRIHVLHpuLLtMt9It+vWjL4ji+
+UXPTgMk/3h+QFP+QQcvTP8tEnqd8IHazi7A94QIDAQABAoIBAEP6NGZY3AuOgOZj
+g7sgK/V6RGF92tZGpUuUPW3bus8XlU0ulN/5wZLqwp/GhQtcbJ67aLujCXfUiZE/
+UoNjDboCRQ8I/CTo1tzP/Hze4i2WQLtkiw4/RblVMEH62tclnEh/Zp/7TpcesM0I
+UR9H/MgCCf8InWdbKA4UDAVfbjAEws/72QSMnhhsdUfNMKKFiaaDz596MXpI3AWY
+SsenVmcqhMTP819DEem7GTSyOZbx482i7tr1Ix/HB/WlXoTZLB4IFsUOjbtQkoym
+fJHftuCsuN6xg6xUq28zaWqcZzDje7pavqmexXfxvG7a8jXFGY/sagWIHSIp32la
+0WoUO2ECgYEAy0pG09+zY5pHsHoNrSEsN3wIXOv4EIwwEuk4ZTqBPyh/lbHozHDp
+JlO+ObJVzRG/NS4RnlJUicmAUtI7CSpdvTD1OclROBF3DPwiu18zEJTqXkGDcVyt
+bmy8JQDZPYt4mE/TsuRN3uoc9+2jc1ZL6zvS3u6s0EV5j4SYxrn/oQ0CgYEAxIe5
+uBvR+wRXeWddRbIAKxQJa1PR4WDbIQWGm8TlXpcBWsyaqId3AIg9IoQH9AtFvl5F
++6QHjhl5jNK/PkzNM/xAMbS4X4S32zDVUtmJXheyze65lQvXVfUFQUCyb5DeBtvk
+XOf6k5WfM8rAzCb4PNwp+U21vQW7dfOSWp1yEyUCgYEAv3QHeljOYHqXE4wPP0Lj
+mqmUUrbk2+i7CcRdGXDc8jdY2QlBfvDDkxYBK+NZTRVup03ox9svxMhhsx5M/RfK
+SnhGKxL/C7ffD/qRVzeUJwSoKPa4LNYke7+p/YtsDLtCauebL3o2ID8J4zEJ44Cd
+ZT/lG5FabZdQoao2G8pmBi0CgYBrdG5mLMflwJz3Yz3LUqTm6OCxjzXtTeDiMDxG
+RSTIUDZMaByT0uWNI/CRQ7F5jQRILxGColADMQiVp9ErBiEYsG6E/vPkPhOsxAmP
+cCO8j6aTFFjiFoRZmkuSPwaRG5taErbM2YXXVfKjBdPei9wkophMmGGrBUxXFKNL
+6lQqBQKBgFeDuiesvRr+3KUxO6FiRXdGzkhFpfVaSxnFpvyd03vByTsuI5AugjHt
+UPHkOxnrXYg2bZwHSy5fvhUs18FdcucfJnsVl+/Clhl5jkeQzSOszoPx8lvhcck5
+uzlqo+L2XXWN3MaiBHvboA/duTiSQAvcPaEi8gpprxvLHojz/P9R
-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 0565c768e..25f57370c 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -2,8 +2,9 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=
R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
-V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+V 190401220708Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 8a0231b05..3fc101e9e 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -2,7 +2,8 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=
R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
-V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem
new file mode 100644
index 000000000..2076242cc
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index d9bb888f8..eb589e9da 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-0A
+0B
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 86397e5c1..d9bb888f8 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-09
+0A
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
index 20107f5f6..b41b2202b 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
index 9adf263bf..bfafdee5d 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
@@ -1,4 +1,8 @@
-V 141222133356Z 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
-V 141222133521Z 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
-V 141222133612Z 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
-V 141222133736Z 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+R 141222133356Z 141227062317Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+R 141222133521Z 141227062321Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+R 141222133612Z 141227062326Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R 141222133736Z 141227062335Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+V 191221064542Z 05 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V 191221064900Z 06 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V 191221085130Z 07 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+V 191221085457Z 08 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
index be48eeee4..56242a38b 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
@@ -1,3 +1,7 @@
-V 141222133356Z 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
-V 141222133521Z 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
-V 141222133612Z 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R 141222133356Z 141227062317Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+R 141222133521Z 141227062321Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+R 141222133612Z 141227062326Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R 141222133736Z 141227062335Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+V 191221064542Z 05 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V 191221064900Z 06 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V 191221085130Z 07 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem
new file mode 100644
index 000000000..124e2ae46
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem
new file mode 100644
index 000000000..a93121da1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
+RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem
new file mode 100644
index 000000000..bf8a4919d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5
+MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ
+u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu
+a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr
+xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ
+Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj
+FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2
+g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3
+0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
+MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
+ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0
+atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl
+mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT
+FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/
+6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0
+9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem
new file mode 100644
index 000000000..88ce01ed5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5
+MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO
+8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+
+OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz
+eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4
+WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn
+RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m
+mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
+Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
+FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
+MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4
+TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t
+U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU
+IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe
+5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2
+jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
index 9ec4b01a8..e8a0a2ee7 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -40,7 +40,7 @@ x509_extensions = host_ext # The extensions to add to the cert
crl_extensions = crl_ext # The extensions to add to the CRL
-default_days = 1825 # how long to certify for
+default_days = 1820 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
@@ -153,6 +153,13 @@ sbgp-ipAddrBlock = critical, @host-addr-section
[host-addr-section]
+#moon networks
+#IPv4.0 = 192.168.0.1
+#IPv4.1 = 10.1.0.0/16
+#IPv6.0 = fec0::1
+#IPv6.1 = fec1::/16
+
+#sun networks
IPv4.0 = 192.168.0.2
IPv4.1 = 10.2.0.0/16
IPv6.0 = fec0::2
@@ -176,6 +183,12 @@ sbgp-ipAddrBlock = critical, @user-addr-section
[user-addr-section]
+#carol networks
+#IPv4.0 = 192.168.0.100
+#IPv4.1 = 10.3.0.1
+#IPv6.0 = fec0::10
+
+#dave networks
IPv4.0 = 192.168.0.200
IPv4.1 = 10.3.0.2
IPv6.0 = fec0::20
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
index eeee65ec4..86397e5c1 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
@@ -1 +1 @@
-05
+09
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
index 64969239d..adb9de8ee 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
@@ -1 +1 @@
-04
+08
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index f5c89552b..bb95160cb 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-32
+33
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index e85087aff..f5c89552b 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-31
+32
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 075fd8e1e..c927934f1 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -21,7 +21,7 @@ INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip
INC=$INC,python,python-setuptools,python-dev,python-pip
-INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi
+INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
INC=$INC,${SERVICES// /,}
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 2b7bde5a5..d58de95bf 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -70,6 +70,8 @@ CONFIG_OPTS = \
--enable-socket-dynamic \
--enable-dhcp \
--enable-farp \
+ --enable-connmark \
+ --enable-forecast \
--enable-addrblock \
--enable-ctr \
--enable-ccm \
@@ -92,7 +94,8 @@ CONFIG_OPTS = \
--enable-tkm \
--enable-ntru \
--enable-lookip \
- --enable-swanctl
+ --enable-swanctl \
+ --enable-bliss
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt
index 4c64fff97..2d04e74f2 100644
--- a/testing/tests/ha/both-active/description.txt
+++ b/testing/tests/ha/both-active/description.txt
@@ -4,5 +4,5 @@ to the virtual gateway <b>mars</b> implemented by the two real gateways
based on <b>ClusterIP</b>. Depending on the hash of the IP addresses of the peers
and the SPIs, the inbound and outbound CHILD_SAs are either assigned to
segment 1 managed by <b>alice</b> or segment 2 handled by <b>moon</b>.
-The IKEv2 protocol is managed by <b>moon</b> exclusively with passive
-IKE_SAs installed on the backup gateway <b>alice</b>.
+The IKEv2 protocol is managed by <b>alice</b> exclusively with passive
+IKE_SAs installed on the backup gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev1/nat-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..b8b1fdd09 100755
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,7 +13,6 @@
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
-# things that this script gets (from ipsec_pluto(8) man page)
#
# PLUTO_VERSION
# indicates what version of this interface is being
@@ -32,15 +31,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -54,25 +58,21 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -80,31 +80,38 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
#
# define a minimum PATH environment in case it is not set
@@ -129,22 +136,22 @@ up-client:)
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+ echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
index 842eda00b..2dd5a40dd 100644
--- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1468 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1388 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt
new file mode 100644
index 000000000..db67b9c3d
--- /dev/null
+++ b/testing/tests/ikev2/forecast/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to
+gateway <b>moon</b> and request a <b>virtual IP</b>. <b>moon</b> negotiates
+broadcast and multicast traffic selectors with the clients, and uses
+<i>%unique</i> marks to avoid any policy conflicts. The enabled <i>forecast</i>
+plugin on <b>moon</b> installs the required Netfilter rules to make use of these
+policies, and additionally starts forwarding broadcast and multicast packets
+between the clients.<br/>
+To test forwarding, the hosts send multicast and broadcast ping messages.
diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat
new file mode 100644
index 000000000..6babe57f0
--- /dev/null
+++ b/testing/tests/ikev2/forecast/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES
+alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null
+carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null
+dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null
+carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+moon::iptables -t mangle -L -n -v
+carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..4cd628384
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftsubnet=0.0.0.0/0
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=0.0.0.0/0
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..e2255d96b
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftsubnet=0.0.0.0/0
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=0.0.0.0/0
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..fde2e9103
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16,224.0.0.0/4
+ right=%any
+ rightid=*@strongswan.org
+ rightsourceip=10.1.0.128/26
+ rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255
+ mark=%unique
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..986ef32de
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast
+ syslog {
+ daemon {
+ net = 2
+ }
+ }
+ plugins {
+ forecast {
+ interface = eth1
+ reinject = rw
+ }
+ }
+}
diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/forecast/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat
new file mode 100644
index 000000000..206bf5b64
--- /dev/null
+++ b/testing/tests/ikev2/forecast/pretest.dat
@@ -0,0 +1,7 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf
new file mode 100644
index 000000000..13b3927ae
--- /dev/null
+++ b/testing/tests/ikev2/forecast/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt
new file mode 100644
index 000000000..6660279c9
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt
@@ -0,0 +1,8 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b>
+and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind
+the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b>
+connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on
+the CHILD_SAs to select the correct return path SA using connection tracking.
+This allows <b>sun</b> to talk to both nodes for client initiated flows, even
+if the SAs are actually both over <b>moon</b>.<br/>
+To test the connection, both hosts establish an SSH connection to <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
new file mode 100644
index 000000000..04a35c10c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
@@ -0,0 +1,7 @@
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
+venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
+sun::iptables -t mangle -L -n -v
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..9000ebcfe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn nat-t
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ right=192.168.0.2
+ rightid=@sun.strongswan.org
+ type=transport
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..220059c43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ left=192.168.0.2
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+
+conn nat-t
+ right=%any
+ type=transport
+ mark=%unique
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1311e5b27
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark
+}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..cea239abe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn nat-t
+ leftcert=venusCert.pem
+ leftid=venus@strongswan.org
+ right=192.168.0.2
+ rightid=@sun.strongswan.org
+ type=transport
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
new file mode 100644
index 000000000..144be6c90
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+venus::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
new file mode 100644
index 000000000..ab6408427
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf
new file mode 100644
index 000000000..8c2facefd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun alice venus moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
index 6f18a88cd..fc7186c53 100644
--- a/testing/tests/ikev2/host2host-transport-nat/description.txt
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host
dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
in <em>/proc/net/xfrm_stat</em>).</li>
<li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
-<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
+<b>sun</b>. Due to the conflicting IPsec policies <b>sun</b> will use the newer SA from
+<b>venus</b> to send traffic to the common transport mode address.</li>
</ol>
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
index faa9fb265..0ec50bc92 100644
--- a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -1,12 +1,9 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
-venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES
-sun::cat /var/log/daemon.log::unable to install policy::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
index fe0f17d3d..2d2607078 100644
--- a/testing/tests/ikev2/host2host-transport-nat/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -10,3 +10,4 @@ sun::ipsec start
alice::expect-connection nat-t
venus::expect-connection nat-t
alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 65a003d23..8457ae0dd 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
-dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 48727ed9d..ce60672bc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+MIIEpAIBAAKCAQEAzQWx53y0ZC78YfVe8fzaErOamr6a/BedS52KSH6aYDLwQ46X
+XkpwTzjj2pD5X1ISkr1yHrBEr0CNRyTpRn7bMC/QOQdZU57B+ubKqYKoI+u4K4d/
+OlNzvWXHBYVI/A8Ok1KP6nuKSrFg8FF/yxt5ozsf6zhr1/Fsb2VOyVV14VOIPE6S
+FdyUU0PpRfNs96qEunQH0beMYeqci7jGG7ulLV+QJdIiQ76bFq/WWyiNn/A4ZK9L
+GRUR5exrOY0zdUWtRBdIwoyM6OgJJGPiEwbLL1bzBaXjf429GYby3ERVOepby5Jq
+4/yJylLJPajZvNPv8BQVMyeTexns15gSD8F3ZQIDAQABAoIBABliJR6V7/efYZv3
+NyQavB0oo3GZO7MOcWkVPjOviQl0BQ84LkF8Ud9dGcjLvjQxAx+r2N83z6krAtLW
+HROfTR/wK4WEBWk29KlNvbWy+YJJAupQwk3EW0YNvdBPKjQa4SEYTb0oQnzw7SGT
+1ZCd/DdbcJ48xA1eVKCOGG0Q6aFV702mUszjZfrnyqr+zxx8ZE+YhKSXB0eGjv2+
++kiJMf25ZpgP5Pu5AAX0/KRN9E5orbr5pdFTBgOIJ6Sdsnr/q/tJaU/bPVJEtFvd
+BqSVtz87ftTdZVH5zMBkXPVwlWczQiK5J6igrMBcrHhnKUmt54kh9bEUmt2ZrBOx
+xmEV/wECgYEA+a+LjA3lZgk5Qy4qKvXe4EHvRSK513ZxN8gBvj4wA7JmEGv76gMw
+5o1DbpNOqumeyjrtsqVzjAu3GpowX4dfHRal9CZ57dtedjWlHPnnDtSMKzmJXiJb
+HzYPngpjxfAjrZNIBlQZeAhtYCQUDM/SSitcnP1gp3DEdVyxFNafmuECgYEA0jUA
+F0hSddYBo4tG84gnHQ6L0ftqn3K0UD9EcFAG2Zxv7dqSGdmCq6wo/q1UeKDVLjCX
+OteuqzDG+ka6DmbcLwj9VRMQP9lqUbtGOzwyWxYdcMUZnMtWHpuvcsyHLrAKqTxJ
+0Be7hlXCbSrh62CBpAgv91NMghZup3Tpku8qkQUCgYEAyWNp7uEWciJmaWVG5bfC
+uKb10pGby8ngr9lGbqfCGnk+EWjHm4xPWOX/yaRPA1PDm+HD7x+7/u1EFtTex25s
+rQ2jdTXDirIxkq7aKnD2iOOu2v5haefUD2yPVC2VJAX5APuWUGRs1oAVmEIBWgQV
+3XT0EjvcRbGTBAZrXh9uRIECgYEAzBclZXWUilAj+zOoyZ4xy6Zp3pAqL3Fg3GDx
+A9LPM80NZ3RFUc+7bQ6UJuEHGK+fC1+mFT1/mzqaljjBQGZh9VDXFhiSOEvRTFV1
+lOGXSpSoNOtJONC7ZrBloiIuRggp8bJVQDMqoPz27qMqAiwK8sX4PDumFs/M081R
+UpXfUDkCgYAOa/VoXgDlFMun1qEu6LFZcLhA6SyHRT0yT9WSYkHjcQusvJAZEM67
+lfUd1J57tG6+HS7z0wBkO72HG0YZDD8dhgzsYGChUHD+yq+OZ2FHnZWRSnnHq4zD
+ZBjS8PGcVu/4Ojx6B8GI41UgmdqH+US+AA6nYceb74NeIigXjtXUdA==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
index bb8e856cc..c5390fbb6 100644
--- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 421335ffb..e0c15f56a 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
- if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- parms2="via $PLUTO_NEXT_HOP"
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
- if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- echo "$0: doroute \`$it' failed ($oops)" >&2
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
# is there an inbound mark to be set?
@@ -313,82 +212,18 @@ if [ -n "$PLUTO_MARK_IN" ]
then
if [ -n "$PLUTO_UDP_ENC" ]
then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+ SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
else
- SET_MARK="-p esp"
+ SET_MARK="-p $PLUTO_PROTO"
fi
SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
fi
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -430,6 +273,13 @@ down-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -472,6 +322,15 @@ up-client:)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -518,6 +377,13 @@ down-client:)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
index 6ec29c779..86fc1975e 100644
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -1,6 +1,6 @@
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..1afd70df8 100755
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,8 +13,6 @@
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -32,15 +30,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -54,25 +57,21 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -80,31 +79,38 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
#
# define a minimum PATH environment in case it is not set
@@ -129,22 +135,22 @@ up-client:)
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+ echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt
new file mode 100644
index 000000000..c659b4c47
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> using SHA-2 to create signatures
+as enabled by the IKEv2 Signature Authentication extension described in <b>RFC 7427</b>.
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
new file mode 100644
index 000000000..65737ba1f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5af6d2bbc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftauth=rsa-sha384
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..3c3d1e51d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftauth=rsa-sha512
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
new file mode 100644
index 000000000..81a98fa41
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf
index 646b8b3e6..afa2accbe 100755..100644
--- a/testing/tests/swanctl/net2net-cert-ipv6/test.conf
+++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -3,4 +3,5 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
+ signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -3,4 +3,5 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
+ signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
index 7f227fd62..c7437c8bb 100644
--- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES
sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1804 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1596 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
sun::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index bdba3fb05..e9ab41c7f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -186,7 +169,6 @@ fi
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
up-client:)
# connection to my client subnet coming up
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
new file mode 100644
index 000000000..dfec6a3b6
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
@@ -0,0 +1,8 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option for
+clients using an assigned virtual IP. The initiator <b>carol</b> reauthenticates
+the IKE_SA with host <b>moon</b> using <b>ikelifetime=10s</b>, but does not
+close the old IKE_SA before the replacement CHILD_SA using the same virtual IP
+is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6447b1cca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keylife=20m
+ ikelifetime=10s
+ rekeymargin=5s
+ rekeyfuzz=0%
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftsourceip=%config
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+ make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..121ea7eab
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=30m
+ keylife=20m
+ rekeymargin=0s
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/24
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt
new file mode 100644
index 000000000..ab92d7df8
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/description.txt
@@ -0,0 +1,7 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f46405a47
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keylife=20m
+ ikelifetime=10s
+ rekeymargin=5s
+ rekeyfuzz=0%
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+ make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2f4557447
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=30m
+ keylife=20m
+ rekeymargin=0s
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index d59eef513..20f1f132c 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 0ea4e21ab..77e306bf9 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
index 6a20b8e8c..e09765fb6 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
index 1460ec8f9..10ce861b1 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswa
moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
index aa6d4291b..47a4977a2 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongsw
moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index 42d2c319e..5853deb26 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -1,6 +1,6 @@
carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 8f813395a..109407b96 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 881971e80..87c37f3a3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index a8019b3e7..49045c9ef 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index 84f41fd93..88ab87d29 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index 010f48315..892fdd6ef 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 95c29b7f5..d3d97dc38 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index f1a68bc19..0dfc89e07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 21cfe429a..a514f48b7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index ab27b4510..f33e7bc36 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index 7584e14dc..75349b031 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index a471a2cfa..f250c0cb3 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 421335ffb..b8b45e3b0 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
- if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- parms2="via $PLUTO_NEXT_HOP"
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
- if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- echo "$0: doroute \`$it' failed ($oops)" >&2
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
# is there an inbound mark to be set?
@@ -320,75 +219,11 @@ then
SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
fi
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -430,6 +273,13 @@ down-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -472,6 +322,15 @@ up-client:)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -518,6 +377,13 @@ down-client:)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt
new file mode 100644
index 000000000..b81fdb7cf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
new file mode 100644
index 000000000..5a88b6641
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f13e47a71
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128!
+ esp=aes128-sha256!
+ authby=pubkey
+ fragmentation=yes
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.der
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
new file mode 100644
index 000000000..491e245dd
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
new file mode 100644
index 000000000..b2831a8ed
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..c2225646d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..5f605a43d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha384-ntru192!
+ esp=aes192-sha384!
+ authby=pubkey
+ fragmentation=yes
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.der
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
new file mode 100644
index 000000000..83a213710
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
new file mode 100644
index 000000000..0ec528ddf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..fe2643204
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2a9b33aae
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
+ esp=aes128-sha256,aes192-sha384!
+ authby=pubkey
+ fragmentation=yes
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.der
+ leftauth=bliss-sha512
+ leftid=moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/28
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..1ab7d21f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 000000000..c989f91e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b4a9ee68d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
new file mode 100644
index 000000000..9ba8c5f55
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
new file mode 100644
index 000000000..24249435e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index ab398a3bb..55b295781 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pr
moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index ccbc769e2..b192f788f 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 438e1c14c..6ebb7c356 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt
new file mode 100644
index 000000000..569d7e054
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. They authenticate themselves using <b>RSA signatures</b> but
+they use different hash algorithms. <b>moon</b> uses signature scheme constraints
+to only allow access to the <b>research</b> and <b>accounting</b> subnets if
+specific algorithms are used. <b>Note:</b> Because the client certificate's are signed
+with SHA-256 we have to accept that algorithm too because signature schemes in
+<b>rightauth</b> are also used as constraints for the whole certificate chain.
+Therefore, <b>carol</b> obtains access to the <b>research</b> subnet behind gateway
+<b>moon</b> whereas <b>dave</b> has access to the <b>accounting</b> subnet, but not
+vice-versa.
diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
new file mode 100644
index 000000000..261475f56
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..b1aa2d99a
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn alice
+ rightsubnet=10.1.0.10/32
+ also=home
+ auto=add
+
+conn venus
+ rightsubnet=10.1.0.20/32
+ also=home
+ auto=add
+
+conn home
+ left=%any
+ leftcert=carolCert.pem
+ leftauth=pubkey-sha384
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..eef3e2622
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn alice
+ rightsubnet=10.1.0.10/32
+ also=home
+ auto=add
+
+conn venus
+ rightsubnet=10.1.0.20/32
+ also=home
+ auto=add
+
+conn home
+ left=%any
+ leftcert=daveCert.pem
+ leftauth=pubkey-sha512
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9f9051eeb
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn research
+ rightauth=pubkey-sha384-sha256
+ leftsubnet=10.1.0.0/28
+ also=rw
+ auto=add
+
+conn accounting
+ rightauth=pubkey-sha512-sha256
+ leftsubnet=10.1.0.16/28
+ also=rw
+ auto=add
+
+conn rw
+ left=PH_IP_MOON
+ leftid=@moon.strongswan.org
+ leftcert=moonCert.pem
+ leftauth=pubkey
+ leftfirewall=yes
+ right=%any
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat
new file mode 100644
index 000000000..bec31cc68
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf
new file mode 100644
index 000000000..b9e97e43b
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=""
+
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 9418d6ee1..3522c3d79 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 3243bc294..bf8a4919d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE-----
-MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0
-MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5
+MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
-YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2
-cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/
-zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ
-P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+
-hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM
-2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3
-Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ
+u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu
+a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr
+xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ
+Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj
+FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2
+g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3
0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
-ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q
-ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn
-z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m
-FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq
-kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG
-1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww=
+ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0
+atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl
+mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT
+FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/
+6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0
+9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0=
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 275162721..a75622149 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArD8OrNy0w+T2cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTr
-z4FskqN39sFxDFDSre1bps+F7jW/zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeB
-NBk4b6VAIKPaYmO3UIoZZ4SPnnVZP7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWY
-PDOkTS+1sbRQHkgdZvw4fYno+Rd+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8
-T2zI0aI6L8g57j4cX1XYQwM3tkHM2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9
-A0gqmbnF9//wvSmwpDpSkDoHZ5O3Ur6HZ8mByQIDAQABAoIBAQCSb+WlFtpjtPPF
-JUwxVzqz4Cx510gwkU+GzUemDGdvfZhsWjNEri7FGE70LQ9UPh5vGd2SmtmtZGrW
-J4wjWus6LFYuCa1sl4BlzfFLTjqF8XLUm0twJITzfhVf6o3OmiIOSepBNNT5DaE7
-4R8NgxRU8bG5cnuEWF9VklBl8tR04/VHIfTHltt1p69aQ6UoECBLd+/8RBIj+L/P
-TzXbgLJn7dT8DrOA9rv1p0G1reADwvclKfag4S/xyC54anRsmMNWQLE0D+QzKL29
-nXqU1wjIHBtgY7uM0svtyrMXiNi0XEBWqDdOMwCZ66TU6eGIzDDevG+q8PXmuW6v
-NGxoipcRAoGBANJy4uNj2SnMTdIyoe0wFjmjntKb7DX2Ie0aZr3kygQ7VJUH6w7Z
-mZXNhRf8CpaD20lnyqRjhgq1gwOrLZWpAajNPJ6uCHUVSI8+qwdMVdPSZyxRlal9
-gshsGofkiqEGa/5BW4+yDgi1C4BV+lmN8jn4ilKe4JvFGuz+F31ntDXlAoGBANGH
-WKCq4u9MCxM2R2ESKkLM+vlTxRB4meMt6iPn9e0yJ1BVXTILRp7hfUwKc4ivI/SO
-rc4UA3I5i6QR7TVPOVreqw/CDEmjQLhTSOWY3lHbNz1q53p8Yh6JdytaA4YYgm+I
-pFL+Hh/UpPEAY1ZzsSP7KhBd7ViKblz7/Act614VAoGAXTkFJqNpZGmbI3zIXBBM
-GBZR2Yu2dCTm3GgwkPfTQVKi4i2Sw45Cyagzx+8fJZOdRQQUMQPhMcc8FRjz5XLr
-SEI6EzSWjH70GHgzPNVkw6NVjr1JJb5ye6PfkMj9W91DY2rCS4IdU2AXiy8K6jbF
-0UY2x+iXKImEpuzbrPKOUr0CgYB1lHdGyj7JPKomYNpTfecbT34zdi/rG1J4Kybu
-eVgHgJKRQSYoVC2QMUen6WGGPYp2za55K7/3VJWpP6oWtVuhQ71I/YL5u9Qw3APX
-XB6+Xr80Bw7ZLH2/VzL5r+y0ToK75jkYnaP4BtN8rtQQCqJIZ8TmJF9xxVVDduCq
-grlHNQKBgF06eOplOy8W7euuhvEfoxv05ZVjcFv3bFzlYPb0fBfq4Ziw97SzidH9
-Wbq3gujut9gJCKZT6BJfZtqrPeVhWp+S2SD3bDCsjNZLRBEdzdyRB5CpmDE5OQBH
-EtzpR4nQa/2RJ7wRP/306PE1sQPtTpNvGIgBIUxWvt5gzyVhO1sG
+MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1
+XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++
+e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie
+SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP
+uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN
+8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL
+KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG
+nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo
+U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg
+qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6
+MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO
+zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU
+0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb
+/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8
+5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl
+lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58
+gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w
+ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB
+Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi
+jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4
+OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s
+zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy
+R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn
+oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv
+XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index dffbc67e9..88ce01ed5 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE-----
-MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0
-MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5
+MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX
-eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y
-ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp
-hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb
-00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp
-Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip
-M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO
+8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+
+OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz
+eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4
+WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn
+RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m
+mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
-MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH
-0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D
-Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp
-Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V
-G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4
-Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S
+MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4
+TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t
+U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU
+IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe
+5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2
+jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
index e79cbdd9f..f72970c4d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAzy8L1D1DSGZ213ss/FNAjqeUTO2SxU9oiZkhsc52d9KYVDR0
-st1l/VfIdpENnwZLNsdCmFhIPC4dsoIGYqXj0abh0Z2ZXJZefx2P2DlIHVdhhOnr
-jYlinAwerhOdbMWfqJ+SmrCPRCTHaYSacrWFBY8eqRMbKKljEC4oK0+gOG2KIJMH
-jmR4lMh4qoLVEHB55pisMYHlAJGQm9NHZOwmJ1zUGdbh4/9PEw8K0t+0hl31hCHA
-RhMf2sKpRfrNh0yOs8OzQth4ULIkqWKNZ8/Ewa//F5zvSsmFINOEzJHEKgRQ7f6o
-lLMC0S2qZ/R0sneNwcWhfmLrydfoqTOBtOStZwIDAQABAoIBAQCW49qnnl6MMiPH
-V6wxsKhJvP6i8Dt+fBDUdbQ2fPmG1teeK/357ojC89XJlGbpNHo+0OxNa65gNe3m
-/g+MdOjw3auFMFRrPBBiX7NNdJpy1Brv5DVrhW1N3P3TJfH3MA7RjjYFdyVAKdEZ
-pjud41mX7N4VoRacjJDbTeJveLRlowB2gPcxhNZlF6gPP1ZaHwR/b1+0qOTcsxj3
-hqC7zdmMM8UGQ38S3ba7dldlCVAvJgylRX+LPTx5x32wMntaSmBy0cdRqfHtznij
-MZQnJiUuAvlQyjCbt0j7jycBZrMfgS+hESHaUG7wdJUraL40hlX2L4RfIyMtriwB
-9Xe5fVABAoGBAP3Bphf6k/QxbCrVyyw3Q13MMug63bj3mqhjwOJUoEu+3O4+5Qcw
-bIKEOxDFy82lwVHEnYU2tyxVcLBoXP0kMVkrWQIuDSPrneSQxIO1npBZTvBIvWSr
-Yh3kJa15zlF4JxljwXfjLskInRlL45gBiG8FbSuDtXTxPJBtlrIHE0lnAoGBANED
-/Ct5cocPPTYDGq7FxkGEOFoZM1OTsnL68NmcOhp69uWOAgNCIZEifYBz/SSx1ISJ
-QjDdie3BQ0zp2CZe5Fujtz0oT4VPsrJUcND6fZnG79aA2P2S4tXOdVbElB4fOWuT
-Sd1WOmgOFAn+B907PsP2BEh2BPO2/eqy3hN38PwBAoGAZzAJ9JJG+/PlAn4xwmcu
-k8Pnp5vYcdDuKS93ThIPpP2WJaOZypSca26N/kIQoC2ZMUD8tSEM15Be5L1rotzG
-3HXOGh7T5Rl4+WsNHmoKcrR+byOFMJyop3MRBzwS8/oiHCb+k1vkuIcyKwk7IaLt
-8geI3zsN3OIEOM73iqlp5F0CgYBbSWFGX4l8oVQ7lcl+kZRQIv41o5H+K6ChhSXR
-9OCPlirlAUuxvp1IdQbZJk9mSmCl7gjBrNBDzcel/O/RelpEB9HM3SE1+SPzrNuE
-+hIHKpKvXaDnxtJZTQ2EcuC58ysx56c4CyQBNDzeTFuE7Q4xqe4e86SgCMkHS02g
-tR7EAQKBgQCRoTsOFcCK2jXBhfcuwcrnrTJmf6LFxW08Mfl9qxKUjz20bx6jgv7f
-TrRUHavmVrrGkAc6eTtoa+2cC5ffSBWHeCD48omb+DZGPF54UbEYyRUb5umKbfI3
-M3WiHTTpeTOx2MmPwiAHhPuaWMV9jWkRG01+wIX4HybGYeEAVHE9lg==
+MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx
+EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR
+cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8
+74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D
+M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G
+pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq
+1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa
+7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ
+iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt
+su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ
+AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm
+B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE
+kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC
+XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1
+VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z
+/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU
+CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf
+552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG
+XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi
+o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ
+NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2
+u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d
+xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC
+dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE
+DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
index aea6d8555..7c510261d 100755
--- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
index aea6d8555..7c510261d 100755
--- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
index d59ea3c34..3a9493ba3 100644
--- a/testing/tests/libipsec/rw-suite-b/evaltest.dat
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -1,8 +1,8 @@
carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -486,6 +326,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -525,6 +372,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -568,6 +424,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -584,16 +447,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -486,6 +326,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -525,6 +372,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -568,6 +424,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -584,16 +447,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -486,6 +326,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -525,6 +372,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -568,6 +424,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -584,16 +447,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 0110bb996..55ac10935 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -6,9 +6,9 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4a5e52dbd..d94b17950 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ signature_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 8a4215dcc..2d7324a9a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
index 7169a091d..a0831f746 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
@@ -1,7 +1,7 @@
dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
index 57cbee1d4..200ec3cfb 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
@@ -1,7 +1,7 @@
dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index e1d33feb7..73173f06b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/description.txt b/testing/tests/swanctl/net2net-cert-ipv6/description.txt
deleted file mode 100755
index 5952ecc2d..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
-It connects the two subnets hiding behind their respective gateways. The authentication is based on
-X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
-sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat b/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat
deleted file mode 100755
index cdbecd553..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf
deleted file mode 100755
index bd131af39..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
-
- fragment_size = 1400
-}
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100755
index 16e145cd7..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-connections {
-
- gw-gw {
- local_addrs = fec0::1
- remote_addrs = fec0::2
-
- local {
- auth = pubkey
- certs = moonCert.pem
- id = moon.strongswan.org
- }
- remote {
- auth = pubkey
- id = sun.strongswan.org
- }
- children {
- net-net {
- local_ts = fec1::0/16
- remote_ts = fec2::0/16
-
- start_action = none
- updown = /usr/local/libexec/ipsec/_updown iptables
- rekey_time = 10m
- esp_proposals = aes128gcm128-modp2048
- }
- }
-
- version = 2
- mobike = no
- fragmentation = yes
- reauth_time = 60m
- rekey_time = 20m
- proposals = aes128-sha256-modp2048
- }
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf
deleted file mode 100755
index bd131af39..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
-
- fragment_size = 1400
-}
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf
deleted file mode 100755
index 90aa137f0..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-connections {
-
- gw-gw {
- local_addrs = fec0::2
- remote_addrs = fec0::1
-
- local {
- auth = pubkey
- certs = sunCert.pem
- id = sun.strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- net-net {
- local_ts = fec2::0/16
- remote_ts = fec1::0/16
-
- start_action = none
- updown = /usr/local/libexec/ipsec/_updown iptables
- rekey_time = 10m
- esp_proposals = aes128gcm128-modp2048
- }
- }
-
- version = 2
- mobike = no
- fragmentation = yes
- reauth_time = 60m
- rekey_time = 20m
- proposals = aes128-sha256-modp2048
- }
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat b/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat
deleted file mode 100755
index a40a7dd2f..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::service charon stop 2> /dev/null
-sun::service charon stop 2> /dev/null
-alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2"
-sun::"ip route del fec1:\:/16 via fec0:\:1"
-bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::ip6tables-restore < /etc/ip6tables.flush
-sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat b/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat
deleted file mode 100755
index 36e8e1999..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::iptables-restore < /etc/iptables.drop
-sun::iptables-restore < /etc/iptables.drop
-moon::ip6tables-restore < /etc/ip6tables.rules
-sun::ip6tables-restore < /etc/ip6tables.rules
-alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2"
-sun::"ip route add fec1:\:/16 via fec0:\:1"
-bob::"ip route add fec1:\:/16 via fec2:\:1"
-moon::service charon start 2> /dev/null
-sun::service charon start 2> /dev/null
-moon::sleep 1
-moon::swanctl --load-conns 2> /dev/null
-sun::swanctl --load-conns 2> /dev/null
-moon::swanctl --load-creds 2> /dev/null
-sun::swanctl --load-creds 2> /dev/null
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat
index d8d44dff6..de50ab32b 100644
--- a/testing/tests/tkm/host2host-initiator/evaltest.dat
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@@ -10,3 +10,7 @@ moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
index 7c8c6b24a..f5143f19a 100644
--- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
+++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
@@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat
index 8e0042102..1f0c88b53 100644
--- a/testing/tests/tkm/multiple-clients/evaltest.dat
+++ b/testing/tests/tkm/multiple-clients/evaltest.dat
@@ -15,8 +15,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
-sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
-sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log | grep "Checked CA certificate of CC context 1" | wc -l::2::YES
sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
index a38dba0ee..98eff247f 100644
--- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
+++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
@@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/description.txt b/testing/tests/tkm/xfrmproxy-expire/description.txt
new file mode 100644
index 000000000..9578cd8f3
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/description.txt
@@ -0,0 +1,6 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b>
+to <b>sun</b>. The test asserts that XFRM expire messages from the kernel are
+handled correctly.
diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
new file mode 100644
index 000000000..96b486a07
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
@@ -0,0 +1,22 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
+moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
+moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log | grep 'Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA expire (reqid 1, proto 50, SPI.*, hard FALSE)::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+ dh_mapping {
+ 15 = 1
+ 16 = 2
+ }
+}
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..d3748930a
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der
Binary files differ
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der
Binary files differ
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..23e958ab0
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+ <local_identity id="1">
+ <identity>moon.strongswan.org</identity>
+ <certificate>moonCert.pem</certificate>
+ </local_identity>
+ <policy id="1">
+ <mode>transport</mode>
+ <local>
+ <identity_id>1</identity_id>
+ <ip>192.168.0.1</ip>
+ </local>
+ <remote>
+ <identity>sun.strongswan.org</identity>
+ <ip>192.168.0.2</ip>
+ </remote>
+ <lifetime>
+ <soft>2</soft>
+ <hard>60</hard>
+ </lifetime>
+ </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=sun.strongswan.org
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ ike=aes256-sha512-modp4096!
+ esp=aes256-sha512-modp4096!
+ type=transport
+ auto=add
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/xfrmproxy-expire/posttest.dat b/testing/tests/tkm/xfrmproxy-expire/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/xfrmproxy-expire/test.conf b/testing/tests/tkm/xfrmproxy-expire/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index d93407434..b9eee4f57 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
index e22b767f7..224807860 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index e22b767f7..224807860 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt
new file mode 100644
index 000000000..91fbbaad9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>carol</b> sends her first PB-TNC batch with a wrong version number and
+<b>dave</b> sends a PB-TNC message not supported by <b>moon</b> with the NOSKIP flag set.
+Therefore both connection setups fail due to fatal PB-TNC errors.
diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
new file mode 100644
index 000000000..4cbf60ff7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
@@ -0,0 +1,10 @@
+moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES
+dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES
+dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fcd224651
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnccs-20 {
+ tests {
+ pb_tnc_version = 3
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..504408488
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..76f413722
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnc-imc {
+ preferred_language = ru, pl , de
+ }
+ tnccs-20 {
+ tests {
+ pb_tnc_noskip = yes
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = isolate
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9c13fcb67
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
new file mode 100644
index 000000000..38c651328
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf
new file mode 100644
index 000000000..3c8e3996f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
new file mode 100644
index 000000000..0aa07193c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the client doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>moon</b> sends his first PB-TNC batch with a wrong version number .
+Therefore the connection setup fails due to a fatal PB-TNC error.
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
new file mode 100644
index 000000000..df4bdc857
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
@@ -0,0 +1,5 @@
+carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed6d6f718
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..626731f58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ tnccs-20 {
+ tests {
+ pb_tnc_version = 3
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
new file mode 100644
index 000000000..80ce1a125
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
@@ -0,0 +1,4 @@
+carol::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
new file mode 100644
index 000000000..6947c4bdf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
new file mode 100644
index 000000000..e8430743e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
new file mode 100644
index 000000000..6c79b8c49
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
@@ -0,0 +1,3 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements over IKEv2-EAP
+using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on
+X.509 certificates.
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
new file mode 100644
index 000000000..0ef7b5d7d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
@@ -0,0 +1,11 @@
+moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
+sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..47a0283dc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 2, imc 2, imv 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=moon.strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=sun.strongswan.org
+ rightsendcert=never
+ rightauth=any
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..953e7fcea
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+ multiple_authentication = no
+ plugins {
+ eap-ttls {
+ phase2_tnc =yes
+ }
+ tnccs-20 {
+ mutual = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..c20bce930
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 2, imc 2, imv 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=sun.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ rightauth=eap-ttls
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..570126a0e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+ multiple_authentication = no
+ plugins {
+ eap-ttls {
+ request_peer_auth = yes
+ phase2_piggyback = yes
+ phase2_tnc =yes
+ }
+ tnccs-20 {
+ mutual = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
new file mode 100644
index 000000000..3bce9f6e5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up host-host
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
new file mode 100644
index 000000000..55d6e9fd6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
new file mode 100644
index 000000000..09ab8e9f1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
@@ -0,0 +1,3 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the
+PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on
+X.509 certificates.
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat
new file mode 100644
index 000000000..eb996192d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::PT-TLS authentication complete::YES
+sun:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+moon::cat /var/log/auth.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/auth.log::PB-TNC access recommendation is.*Access Allowed::YES
+sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..98c415edb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+/* configuration is read from /etc/pts/options */
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
new file mode 100644
index 000000000..79ae1e866
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
@@ -0,0 +1,8 @@
+--connect sun.strongswan.org
+--client moon.strongswan.org
+--key /etc/ipsec.d/private/moonKey.pem
+--cert /etc/ipsec.d/certs/moonCert.pem
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--mutual
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fafdac4aa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pt-tls-client {
+ load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ba629a24f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 2, imc 2, imv 2"
+
+conn pdp
+ leftcert=sunCert.pem
+ leftid=sun.strongswan.org
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..05ffdb178
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20
+
+ plugins {
+ tnc-pdp {
+ server = sun.strongswan.org
+ radius {
+ enable = no
+ }
+ }
+ tnccs-20 {
+ mutual = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
new file mode 100644
index 000000000..e6ccb14fe
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
@@ -0,0 +1 @@
+sun::ipsec stop
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
new file mode 100644
index 000000000..fab55d11a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
@@ -0,0 +1,4 @@
+sun::ipsec start
+moon::cat /etc/pts/options
+moon::sleep 1
+moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
new file mode 100644
index 000000000..55d6e9fd6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
index a86fcff61..f744453e6 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@@ -1,10 +1,10 @@
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
dave:: cat /var/log/daemon.log::collected ... SWID tags::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES
carol::cat /var/log/daemon.log::collected 1 SWID tag::YES