From 7b0305f59ddab9ea026b202a8c569912e5bf9a90 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 4 Jul 2007 23:47:20 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.1.4)

---
 testing/INSTALL                                    |    6 +-
 testing/do-tests                                   |   10 +-
 testing/hosts/alice/etc/conf.d/net                 |    2 +
 testing/hosts/alice/etc/init.d/net.eth1            | 1124 ++++++++++++++++++++
 testing/hosts/carol/etc/init.d/iptables            |    4 +
 testing/hosts/carol/etc/ipsec.conf                 |    1 -
 testing/hosts/dave/etc/init.d/iptables             |    4 +
 testing/hosts/default/etc/hosts                    |    2 +
 testing/hosts/moon/etc/init.d/iptables             |    4 +
 testing/hosts/moon/etc/ipsec.conf                  |    1 -
 testing/scripts/build-hostconfig                   |    8 +-
 testing/scripts/start-switches                     |    2 +-
 testing/testing.conf                               |   36 +-
 .../tests/ike/rw-cert/hosts/dave/etc/ipsec.conf    |    1 -
 .../tests/ike/rw-cert/hosts/moon/etc/ipsec.conf    |    1 -
 .../ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf     |    1 -
 .../ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf  |    2 +-
 .../ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/alg-serpent/hosts/carol/etc/ipsec.conf   |    2 +-
 .../ikev1/alg-serpent/hosts/moon/etc/ipsec.conf    |    1 -
 .../alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf |    1 -
 .../alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf  |    2 +-
 .../ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/alg-twofish/hosts/carol/etc/ipsec.conf   |    2 +-
 .../ikev1/alg-twofish/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/attr-cert/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev1/attr-cert/hosts/dave/etc/ipsec.conf      |    1 -
 .../ikev1/attr-cert/hosts/moon/etc/ipsec.conf      |    1 -
 .../ikev1/compress/hosts/carol/etc/ipsec.conf      |    1 -
 .../tests/ikev1/compress/hosts/moon/etc/ipsec.conf |    1 -
 .../crl-from-cache/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev1/crl-ldap/hosts/carol/etc/ipsec.conf      |    1 -
 .../tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev1/crl-revoked/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev1/crl-revoked/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/crl-strict/hosts/carol/etc/ipsec.conf    |    1 -
 .../ikev1/crl-strict/hosts/moon/etc/ipsec.conf     |    1 -
 .../ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf  |    1 -
 .../ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/default-keys/hosts/carol/etc/ipsec.conf  |    1 -
 .../ikev1/default-keys/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/dpd-clear/hosts/moon/etc/ipsec.conf      |    1 -
 .../tests/ikev1/dynamic-initiator/description.txt  |   12 +
 testing/tests/ikev1/dynamic-initiator/evaltest.dat |    8 +
 .../dynamic-initiator/hosts/carol/etc/ipsec.conf   |   29 +
 .../dynamic-initiator/hosts/dave/etc/ipsec.conf    |   29 +
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |   25 +
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |   30 +
 .../dynamic-initiator/hosts/dave/etc/ipsec.secrets |    3 +
 .../dynamic-initiator/hosts/moon/etc/ipsec.conf    |   26 +
 testing/tests/ikev1/dynamic-initiator/posttest.dat |   11 +
 testing/tests/ikev1/dynamic-initiator/pretest.dat  |   13 +
 testing/tests/ikev1/dynamic-initiator/test.conf    |   21 +
 .../tests/ikev1/dynamic-responder/description.txt  |   13 +
 testing/tests/ikev1/dynamic-responder/evaltest.dat |    8 +
 .../dynamic-responder/hosts/carol/etc/ipsec.conf   |   29 +
 .../dynamic-responder/hosts/dave/etc/ipsec.conf    |   29 +
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |   25 +
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |   30 +
 .../dynamic-responder/hosts/dave/etc/ipsec.secrets |    3 +
 .../dynamic-responder/hosts/moon/etc/ipsec.conf    |   26 +
 testing/tests/ikev1/dynamic-responder/posttest.dat |   11 +
 testing/tests/ikev1/dynamic-responder/pretest.dat  |   13 +
 testing/tests/ikev1/dynamic-responder/test.conf    |   21 +
 .../tests/ikev1/dynamic-two-peers/description.txt  |   15 +
 testing/tests/ikev1/dynamic-two-peers/evaltest.dat |   10 +
 .../dynamic-two-peers/hosts/carol/etc/ipsec.conf   |   28 +
 .../dynamic-two-peers/hosts/dave/etc/ipsec.conf    |   28 +
 .../dynamic-two-peers/hosts/moon/etc/hosts.stale   |   67 ++
 .../dynamic-two-peers/hosts/moon/etc/ipsec.conf    |   31 +
 testing/tests/ikev1/dynamic-two-peers/posttest.dat |   10 +
 testing/tests/ikev1/dynamic-two-peers/pretest.dat  |   12 +
 testing/tests/ikev1/dynamic-two-peers/test.conf    |   21 +
 .../esp-ah-transport/hosts/carol/etc/ipsec.conf    |    1 -
 .../esp-ah-transport/hosts/moon/etc/ipsec.conf     |    1 -
 .../ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf |    1 -
 .../ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf   |    2 +-
 .../ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf  |    2 +-
 .../ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf   |    1 -
 .../esp-alg-strict-fail/hosts/carol/etc/ipsec.conf |    2 +-
 .../esp-alg-strict-fail/hosts/moon/etc/ipsec.conf  |    1 -
 .../esp-alg-strict/hosts/carol/etc/ipsec.conf      |    2 +-
 .../ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf  |    2 +-
 .../ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf   |    1 -
 .../host2host-swapped/hosts/moon/etc/ipsec.conf    |    1 -
 .../host2host-swapped/hosts/sun/etc/ipsec.conf     |    1 -
 .../host2host-transport/hosts/moon/etc/ipsec.conf  |    1 -
 .../host2host-transport/hosts/sun/etc/ipsec.conf   |    1 -
 .../ike-alg-sha2_384/hosts/carol/etc/ipsec.conf    |    1 -
 .../ike-alg-sha2_384/hosts/moon/etc/ipsec.conf     |    1 -
 .../ike-alg-sha2_512/hosts/carol/etc/ipsec.conf    |    1 -
 .../ike-alg-sha2_512/hosts/moon/etc/ipsec.conf     |    1 -
 .../ike-alg-strict-fail/hosts/carol/etc/ipsec.conf |    4 +-
 .../ike-alg-strict-fail/hosts/moon/etc/ipsec.conf  |    1 -
 .../ike-alg-strict/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf |    1 -
 .../mode-config-push/hosts/carol/etc/ipsec.conf    |    1 -
 .../mode-config-push/hosts/dave/etc/ipsec.conf     |    1 -
 .../mode-config-push/hosts/moon/etc/ipsec.conf     |    1 -
 .../mode-config-swapped/hosts/carol/etc/ipsec.conf |    1 -
 .../mode-config-swapped/hosts/dave/etc/ipsec.conf  |    1 -
 .../mode-config-swapped/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev1/mode-config/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev1/mode-config/hosts/dave/etc/ipsec.conf    |    1 -
 .../ikev1/mode-config/hosts/moon/etc/ipsec.conf    |    1 -
 .../multi-level-ca-ldap/hosts/carol/etc/ipsec.conf |    1 -
 .../multi-level-ca-ldap/hosts/dave/etc/ipsec.conf  |    1 -
 .../multi-level-ca-ldap/hosts/moon/etc/ipsec.conf  |    1 -
 .../multi-level-ca-loop/hosts/carol/etc/ipsec.conf |    1 -
 .../multi-level-ca-loop/hosts/moon/etc/ipsec.conf  |    1 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/dave/etc/ipsec.conf                      |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../multi-level-ca/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf |    1 -
 .../ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf  |    1 -
 .../ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf     |    1 -
 .../net2net-psk-fail/hosts/moon/etc/ipsec.conf     |    1 -
 .../net2net-psk-fail/hosts/sun/etc/ipsec.conf      |    1 -
 .../ikev1/net2net-psk/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/net2net-psk/hosts/sun/etc/ipsec.conf     |    1 -
 .../ikev1/net2net-route/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf     |    1 -
 .../ikev1/net2net-start/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf  |    1 -
 .../ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf    |    1 -
 testing/tests/ikev1/passthrough/description.txt    |    6 +
 testing/tests/ikev1/passthrough/evaltest.dat       |    9 +
 .../ikev1/passthrough/hosts/moon/etc/ipsec.conf    |   32 +
 .../ikev1/passthrough/hosts/sun/etc/ipsec.conf     |   25 +
 testing/tests/ikev1/passthrough/posttest.dat       |    4 +
 testing/tests/ikev1/passthrough/pretest.dat        |    8 +
 testing/tests/ikev1/passthrough/test.conf          |   21 +
 .../protoport-dual/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev1/protoport-dual/hosts/moon/etc/ipsec.conf |    1 -
 .../protoport-pass/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev1/protoport-pass/hosts/moon/etc/ipsec.conf |    1 -
 testing/tests/ikev1/protoport-pass/posttest.dat    |    1 +
 testing/tests/ikev1/protoport-pass/pretest.dat     |    1 +
 .../protoport-route/hosts/carol/etc/ipsec.conf     |    1 -
 .../protoport-route/hosts/moon/etc/ipsec.conf      |    1 -
 .../ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf    |    1 -
 .../rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf   |    1 -
 .../rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf    |    1 -
 .../rw-psk-no-policy/hosts/carol/etc/ipsec.conf    |    1 -
 .../rw-psk-no-policy/hosts/moon/etc/ipsec.conf     |    1 -
 .../rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf    |    1 -
 .../rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf     |    1 -
 .../rw-rsa-no-policy/hosts/moon/etc/ipsec.conf     |    1 -
 .../ikev1/self-signed/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev1/self-signed/hosts/moon/etc/ipsec.conf    |    1 -
 .../starter-also-loop/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev1/starter-also/hosts/moon/etc/ipsec.conf   |    1 -
 .../starter-includes/hosts/carol/etc/ipsec.conf    |    1 -
 .../starter-includes/hosts/dave/etc/ipsec.conf     |    1 -
 .../ikev1/strong-certs/hosts/carol/etc/ipsec.conf  |    1 -
 .../ikev1/strong-certs/hosts/dave/etc/ipsec.conf   |    1 -
 .../ikev1/strong-certs/hosts/moon/etc/ipsec.conf   |    1 -
 .../virtual-ip-swapped/hosts/carol/etc/ipsec.conf  |    1 -
 .../virtual-ip-swapped/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/virtual-ip/hosts/carol/etc/ipsec.conf    |    1 -
 .../ikev1/virtual-ip/hosts/moon/etc/ipsec.conf     |    1 -
 .../ikev1/wildcards/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev1/wildcards/hosts/dave/etc/ipsec.conf      |    1 -
 .../ikev1/wildcards/hosts/moon/etc/ipsec.conf      |    1 -
 .../tests/ikev1/wlan/hosts/alice/etc/ipsec.conf    |    2 -
 testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf |    1 -
 .../tests/ikev1/wlan/hosts/venus/etc/ipsec.conf    |    2 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/dave/etc/ipsec.conf                      |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../ikev1/xauth-psk/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev1/xauth-psk/hosts/dave/etc/ipsec.conf      |    1 -
 .../ikev1/xauth-psk/hosts/moon/etc/ipsec.conf      |    1 -
 .../xauth-rsa-fail/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf |    1 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/dave/etc/ipsec.conf                      |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf  |    1 -
 .../xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf      |    1 -
 .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf      |    1 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/dave/etc/ipsec.conf                      |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../config-payload/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev2/config-payload/hosts/dave/etc/ipsec.conf |    1 -
 .../ikev2/config-payload/hosts/moon/etc/ipsec.conf |    1 -
 .../crl-from-cache/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev2/crl-ldap/hosts/carol/etc/init.d/iptables |    4 +
 .../ikev2/crl-ldap/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev2/crl-ldap/hosts/moon/etc/init.d/iptables  |    4 +
 .../tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev2/crl-revoked/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev2/crl-revoked/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev2/crl-strict/hosts/carol/etc/ipsec.conf    |    1 -
 .../ikev2/crl-strict/hosts/moon/etc/ipsec.conf     |    1 -
 .../ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf  |    1 -
 .../ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev2/default-keys/hosts/carol/etc/ipsec.conf  |    1 -
 .../default-keys/hosts/moon/etc/init.d/iptables    |    4 +
 .../ikev2/default-keys/hosts/moon/etc/ipsec.conf   |    1 -
 .../ikev2/dpd-clear/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev2/dpd-clear/hosts/moon/etc/ipsec.conf      |    1 -
 .../ikev2/dpd-hold/hosts/carol/etc/ipsec.conf      |    1 -
 .../tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev2/dpd-restart/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev2/dpd-restart/hosts/moon/etc/ipsec.conf    |    1 -
 .../esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf     |    1 -
 .../esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf      |    1 -
 .../ikev2/host2host-cert/hosts/moon/etc/ipsec.conf |    1 -
 .../ikev2/host2host-cert/hosts/sun/etc/ipsec.conf  |    1 -
 .../host2host-swapped/hosts/moon/etc/ipsec.conf    |    1 -
 .../host2host-swapped/hosts/sun/etc/ipsec.conf     |    1 -
 .../host2host-transport/hosts/moon/etc/ipsec.conf  |    1 -
 .../host2host-transport/hosts/sun/etc/ipsec.conf   |    1 -
 testing/tests/ikev2/mobike-nat/description.txt     |    7 +
 testing/tests/ikev2/mobike-nat/evaltest.dat        |   16 +
 .../mobike-nat/hosts/alice/etc/init.d/iptables     |   83 ++
 .../ikev2/mobike-nat/hosts/alice/etc/ipsec.conf    |   24 +
 .../ikev2/mobike-nat/hosts/sun/etc/ipsec.conf      |   24 +
 testing/tests/ikev2/mobike-nat/posttest.dat        |    6 +
 testing/tests/ikev2/mobike-nat/pretest.dat         |   12 +
 testing/tests/ikev2/mobike-nat/test.conf           |   21 +
 .../tests/ikev2/mobike-virtual-ip/description.txt  |    7 +
 testing/tests/ikev2/mobike-virtual-ip/evaltest.dat |   16 +
 .../hosts/alice/etc/init.d/iptables                |   83 ++
 .../mobike-virtual-ip/hosts/alice/etc/ipsec.conf   |   24 +
 .../mobike-virtual-ip/hosts/sun/etc/ipsec.conf     |   24 +
 testing/tests/ikev2/mobike-virtual-ip/posttest.dat |    5 +
 testing/tests/ikev2/mobike-virtual-ip/pretest.dat  |   10 +
 testing/tests/ikev2/mobike-virtual-ip/test.conf    |   21 +
 testing/tests/ikev2/mobike/description.txt         |    7 +
 testing/tests/ikev2/mobike/evaltest.dat            |   18 +
 .../ikev2/mobike/hosts/alice/etc/init.d/iptables   |   83 ++
 .../tests/ikev2/mobike/hosts/alice/etc/ipsec.conf  |   23 +
 .../tests/ikev2/mobike/hosts/sun/etc/ipsec.conf    |   23 +
 testing/tests/ikev2/mobike/posttest.dat            |    5 +
 testing/tests/ikev2/mobike/pretest.dat             |   10 +
 testing/tests/ikev2/mobike/test.conf               |   21 +
 .../multi-level-ca-ldap/hosts/carol/etc/ipsec.conf |    1 -
 .../multi-level-ca-ldap/hosts/dave/etc/ipsec.conf  |    1 -
 .../hosts/moon/etc/init.d/iptables                 |    4 +
 .../multi-level-ca-ldap/hosts/moon/etc/ipsec.conf  |    1 -
 .../multi-level-ca-loop/hosts/carol/etc/ipsec.conf |    1 -
 .../multi-level-ca-loop/hosts/moon/etc/ipsec.conf  |    1 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../multi-level-ca/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf |    1 -
 .../ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf |    1 -
 testing/tests/ikev2/nat-one-rw/pretest.dat         |    1 +
 .../ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf  |    1 -
 .../ikev2/net2net-psk/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev2/net2net-psk/hosts/sun/etc/ipsec.conf     |    1 -
 .../ikev2/net2net-route/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev2/net2net-start/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev2/net2net-start/hosts/sun/etc/ipsec.conf   |    1 -
 .../ocsp-local-cert/hosts/carol/etc/ipsec.conf     |    1 -
 .../ocsp-local-cert/hosts/moon/etc/ipsec.conf      |    1 -
 .../ocsp-multi-level/hosts/carol/etc/ipsec.conf    |    1 -
 .../ocsp-multi-level/hosts/dave/etc/ipsec.conf     |    1 -
 .../ocsp-multi-level/hosts/moon/etc/ipsec.conf     |    1 -
 .../ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf |    1 -
 .../ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf  |    1 -
 .../ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf   |    1 -
 .../ocsp-root-cert/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf |    1 -
 .../ocsp-signer-cert/hosts/carol/etc/ipsec.conf    |    1 -
 .../ocsp-signer-cert/hosts/moon/etc/ipsec.conf     |    1 -
 .../ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf   |    1 -
 .../ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf    |    1 -
 .../ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf    |    1 -
 .../ocsp-timeouts-good/hosts/carol/etc/ipsec.conf  |    1 -
 .../ocsp-timeouts-good/hosts/moon/etc/ipsec.conf   |    1 -
 .../hosts/carol/etc/ipsec.conf                     |    1 -
 .../hosts/moon/etc/ipsec.conf                      |    1 -
 .../ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf |    1 -
 .../ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf  |    1 -
 .../protoport-dual/hosts/carol/etc/ipsec.conf      |    1 -
 .../ikev2/protoport-dual/hosts/moon/etc/ipsec.conf |    1 -
 .../protoport-route/hosts/carol/etc/ipsec.conf     |    1 -
 .../protoport-route/hosts/moon/etc/ipsec.conf      |    1 -
 .../tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf |    1 -
 .../tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf  |    1 -
 .../tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf  |    1 -
 .../ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf    |    1 -
 .../ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf   |    1 -
 .../ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf    |    1 -
 .../ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf |    1 -
 .../ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf  |    1 -
 .../ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf  |    1 -
 .../rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf    |    1 -
 .../rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf     |    1 -
 .../rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf     |    1 -
 .../rw-psk-rsa-split/hosts/carol/etc/ipsec.conf    |    1 -
 .../rw-psk-rsa-split/hosts/dave/etc/ipsec.conf     |    1 -
 .../rw-psk-rsa-split/hosts/moon/etc/ipsec.conf     |    1 -
 .../strong-keys-certs/hosts/carol/etc/ipsec.conf   |    1 -
 .../strong-keys-certs/hosts/dave/etc/ipsec.conf    |    1 -
 .../strong-keys-certs/hosts/moon/etc/ipsec.conf    |    1 -
 .../ikev2/two-certs/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev2/two-certs/hosts/dave/etc/ipsec.conf      |    1 -
 .../ikev2/two-certs/hosts/moon/etc/ipsec.conf      |    1 -
 .../ikev2/wildcards/hosts/carol/etc/ipsec.conf     |    1 -
 .../ikev2/wildcards/hosts/dave/etc/ipsec.conf      |    1 -
 .../ikev2/wildcards/hosts/moon/etc/ipsec.conf      |    1 -
 331 files changed, 2519 insertions(+), 282 deletions(-)
 create mode 100755 testing/hosts/alice/etc/init.d/net.eth1
 create mode 100644 testing/tests/ikev1/dynamic-initiator/description.txt
 create mode 100644 testing/tests/ikev1/dynamic-initiator/evaltest.dat
 create mode 100755 testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets
 create mode 100755 testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dynamic-initiator/posttest.dat
 create mode 100644 testing/tests/ikev1/dynamic-initiator/pretest.dat
 create mode 100644 testing/tests/ikev1/dynamic-initiator/test.conf
 create mode 100644 testing/tests/ikev1/dynamic-responder/description.txt
 create mode 100644 testing/tests/ikev1/dynamic-responder/evaltest.dat
 create mode 100755 testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets
 create mode 100755 testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dynamic-responder/posttest.dat
 create mode 100644 testing/tests/ikev1/dynamic-responder/pretest.dat
 create mode 100644 testing/tests/ikev1/dynamic-responder/test.conf
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/description.txt
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/evaltest.dat
 create mode 100755 testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale
 create mode 100755 testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/posttest.dat
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/pretest.dat
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/test.conf
 create mode 100644 testing/tests/ikev1/passthrough/description.txt
 create mode 100644 testing/tests/ikev1/passthrough/evaltest.dat
 create mode 100755 testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/passthrough/posttest.dat
 create mode 100644 testing/tests/ikev1/passthrough/pretest.dat
 create mode 100644 testing/tests/ikev1/passthrough/test.conf
 create mode 100644 testing/tests/ikev2/mobike-nat/description.txt
 create mode 100644 testing/tests/ikev2/mobike-nat/evaltest.dat
 create mode 100755 testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/mobike-nat/posttest.dat
 create mode 100644 testing/tests/ikev2/mobike-nat/pretest.dat
 create mode 100644 testing/tests/ikev2/mobike-nat/test.conf
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/description.txt
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
 create mode 100755 testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/posttest.dat
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/pretest.dat
 create mode 100644 testing/tests/ikev2/mobike-virtual-ip/test.conf
 create mode 100644 testing/tests/ikev2/mobike/description.txt
 create mode 100644 testing/tests/ikev2/mobike/evaltest.dat
 create mode 100755 testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/mobike/posttest.dat
 create mode 100644 testing/tests/ikev2/mobike/pretest.dat
 create mode 100644 testing/tests/ikev2/mobike/test.conf

(limited to 'testing')

diff --git a/testing/INSTALL b/testing/INSTALL
index d19c7eafe..a48c5a253 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.5.tar.bz2
 
     * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
       to make the vanilla kernel UML-capable. For older kernels you'll find
@@ -67,11 +67,11 @@ are required for the strongSwan testing environment:
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20061006.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20070702.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.1.3.tar.gz
+      http://download.strongswan.org/strongswan-4.1.4.tar.gz
 
 
 3. Creating the environment
diff --git a/testing/do-tests b/testing/do-tests
index 8cb99410b..72379bda0 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -79,6 +79,8 @@ do
         eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     alice)
+        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     venus)
         ;;
@@ -191,7 +193,7 @@ do
 	echo "    <tr>" >> $INDEX
     echo "      <td>$FIRST</td>">> $INDEX
     echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
-    echo "      <td align=\"right\"></td>" >> $INDEX
+    echo "      <td align=\"right\">x</td>" >> $INDEX
     echo "      <td>&nbsp;</td>" >> $INDEX
     echo "    </tr>" >> $INDEX
 	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
@@ -278,8 +280,10 @@ do
 		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
 		;;
 	    alice)
-		searchandreplace PH_IP_ALICE     $ipv4_alice $TESTDIR
-		searchandreplace PH_IP6_ALICE    $ipv6_alice $TESTDIR
+		searchandreplace PH_IP_ALICE1    $ipv4_alice1 $TESTDIR
+		searchandreplace PH_IP_ALICE     $ipv4_alice  $TESTDIR
+		searchandreplace PH_IP6_ALICE1   $ipv6_alice1 $TESTDIR
+		searchandreplace PH_IP6_ALICE    $ipv6_alice  $TESTDIR
 		;;
 	    venus)
 		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net
index 02494db97..41e8887c4 100644
--- a/testing/hosts/alice/etc/conf.d/net
+++ b/testing/hosts/alice/etc/conf.d/net
@@ -4,6 +4,8 @@
 #
 config_eth0=( "PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0"
               "PH_IP6_ALICE/16" )
+config_eth1=( "PH_IP_ALICE1 broadcast 192.168.0.255 netmask 255.255.255.0"
+              "PH_IP6_ALICE1/16" )
 
 # For setting the default gateway
 #
diff --git a/testing/hosts/alice/etc/init.d/net.eth1 b/testing/hosts/alice/etc/init.d/net.eth1
new file mode 100755
index 000000000..92b3851cf
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/net.eth1
@@ -0,0 +1,1124 @@
+#!/sbin/runscript
+# Copyright (c) 2004-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Contributed by Roy Marples (uberlord@gentoo.org)
+# Many thanks to Aron Griffis (agriffis@gentoo.org)
+# for help, ideas and patches
+
+#NB: Config is in /etc/conf.d/net
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	need localmount
+	after bootmisc hostname
+	use isapnp isdn pcmcia usb wlan
+
+	# Load any custom depend functions for the given interface
+	# For example, br0 may need eth0 and eth1
+	local iface="${SVCNAME#*.}"
+	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
+
+	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
+		after net.lo net.lo0
+
+		# Support new style RC_NEED and RC_USE in one net file
+		local x="RC_NEED_${iface}"
+		[[ -n ${!x} ]] && need ${!x}
+		x="RC_USE_${iface}"
+		[[ -n ${!x} ]] && use ${!x}
+	fi
+
+	return 0
+}
+
+# Define where our modules are
+MODULES_DIR="${svclib}/net"
+
+# Make some wrappers to fudge after/before/need/use depend flags.
+# These are callbacks so MODULE will be set.
+after() {
+	eval "${MODULE}_after() { echo \"$*\"; }"
+}
+before() {
+	eval "${MODULE}_before() { echo \"$*\"; }"
+}
+need() {
+	eval "${MODULE}_need() { echo \"$*\"; }"
+}
+installed() {
+	# We deliberately misspell this as _installed will probably be used
+	# at some point
+	eval "${MODULE}_instlled() { echo \"$*\"; }"
+}
+provide() {
+	eval "${MODULE}_provide() { echo \"$*\"; }"
+}
+functions() {
+	eval "${MODULE}_functions() { echo \"$*\"; }"
+}
+variables() {
+	eval "${MODULE}_variables() { echo \"$*\"; }"
+}
+
+is_loopback() {
+	[[ $1 == "lo" || $1 == "lo0" ]]
+}
+
+# char* interface_device(char *iface)
+#
+# Gets the base device of the interface
+# Can handle eth0:1 and eth0.1
+# Which returns eth0 in this case
+interface_device() {
+	local dev="${1%%.*}"
+	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
+	echo "${dev}"
+}
+
+# char* interface_type(char* iface)
+#
+# Returns the base type of the interface
+# eth, ippp, etc
+interface_type() {
+	echo "${1%%[0-9]*}"
+}
+
+# int calculate_metric(char *interface, int base)
+#
+# Calculates the best metric for the interface
+# We use this when we add routes so we can prefer interfaces over each other
+calculate_metric() {
+	local iface="$1" metric="$2"
+
+	# Have we already got a metric?
+	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
+		/proc/net/route)
+	if [[ -n ${m} ]] ; then
+		echo "${m}"
+		return 0
+	fi
+
+	local i= dest= gw= flags= ref= u= m= mtu= metrics=
+	while read i dest gw flags ref u m mtu ; do
+		# Ignore lo
+		is_loopback "${i}" && continue
+		# We work out metrics from default routes only
+		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
+		metrics="${metrics}\n${m}"
+	done < /proc/net/route
+
+	# Now, sort our metrics
+	metrics=$(echo -e "${metrics}" | sort -n)
+
+	# Now, find the lowest we can use
+	local gotbase=false
+	for m in ${metrics} ; do
+		[[ ${m} -lt ${metric} ]] && continue
+		[[ ${m} == ${metric} ]] && ((metric++))
+		[[ ${m} -gt ${metric} ]] && break
+	done
+	
+	echo "${metric}"
+}
+
+# int netmask2cidr(char *netmask)
+#
+# Returns the CIDR of a given netmask
+netmask2cidr() {
+	local binary= i= bin=
+
+	for i in ${1//./ }; do
+		bin=""
+		while [[ ${i} != "0" ]] ; do
+			bin=$[${i}%2]${bin}
+			(( i=i>>1 ))
+		done
+		binary="${binary}${bin}"
+	done
+	binary="${binary%%0*}"
+	echo "${#binary}"
+}
+
+
+# bool is_function(char* name)
+#
+# Returns 0 if the given name is a shell function, otherwise 1
+is_function() {
+	[[ -z $1 ]] && return 1
+	[[ $(type -t "$1") == "function" ]]
+}
+
+# void function_wrap(char* source, char* target)
+#
+# wraps function calls - for example function_wrap(this, that)
+# maps function names this_* to that_*
+function_wrap() {
+	local i=
+
+	is_function "${2}_depend" && return
+
+	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
+		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
+	done
+}
+
+# char[] * expand_parameters(char *cmd)
+#
+# Returns an array after expanding parameters. For example
+# "192.168.{1..3}.{1..3}/24 brd +"
+# will return
+# "192.168.1.1/24 brd +"
+# "192.168.1.2/24 brd +"
+# "192.168.1.3/24 brd +"
+# "192.168.2.1/24 brd +"
+# "192.168.2.2/24 brd +"
+# "192.168.2.3/24 brd +"
+# "192.168.3.1/24 brd +"
+# "192.168.3.2/24 brd +"
+# "192.168.3.3/24 brd +"
+expand_parameters() {
+	local x=$(eval echo ${@// /_})
+	local -a a=( ${x} )
+
+	a=( "${a[@]/#/\"}" )
+	a=( "${a[@]/%/\"}" )
+	echo "${a[*]//_/ }"
+}
+
+# void configure_variables(char *interface, char *option1, [char *option2])
+#
+# Maps configuration options from <variable>_<option> to <variable>_<iface>
+# option2 takes precedence over option1
+configure_variables() {
+	local iface="$1" option1="$2" option2="$3"
+
+	local mod= func= x= i=
+	local -a ivars=() ovars1=() ovars2=()
+	local ifvar=$(bash_variable "${iface}")
+
+	for mod in ${MODULES[@]}; do
+		is_function ${mod}_variables || continue
+		for v in $(${mod}_variables) ; do
+			x=
+			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
+			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
+			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
+		done
+	done
+
+	return 0
+}
+# bool module_load_minimum(char *module)
+#
+# Does the minimum checking on a module - even when forcing
+module_load_minimum() {
+	local f="$1.sh" MODULE="${1##*/}"
+
+	if [[ ! -f ${f} ]] ; then
+		eerror "${f} does not exist"
+		return 1
+	fi
+
+	if ! source "${f}" ; then
+		eerror "${MODULE} failed a sanity check"
+		return 1
+	fi
+
+	for f in depend; do
+		is_function "${MODULE}_${f}" && continue
+		eerror "${MODULE}.sh does not support the required function ${f}"
+		return 1
+	done
+
+	return 0
+}
+
+# bool modules_load_auto()
+#
+# Load and check each module for sanity
+# If the module is not installed, the functions are to be removed
+modules_load_auto() {
+	local i j inst
+
+	# Populate the MODULES array
+	# Basically we treat evey file in ${MODULES_DIR} as a module
+	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
+	j="${#MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
+		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
+	done
+	MODULES=( "${MODULES[@]}" )
+
+	# Each of these sources into the global namespace, so it's
+	# important that module functions and variables are prefixed with
+	# the module name, for example iproute2_
+
+	j="${#MODULES[@]}"
+	loaded_interface=false
+	for (( i=0; i<j; i++ )); do
+		MODULES[i]="${MODULES[i]%.sh*}"
+		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
+			eerror "interface is a reserved name - cannot load a module called interface"
+			return 1
+		fi
+		
+		(
+		u=0;
+		module_load_minimum "${MODULES[i]}" || u=1;
+		if [[ ${u} == 0 ]] ; then
+			inst="${MODULES[i]##*/}_check_installed";
+			if is_function "${inst}" ; then
+				${inst} false || u=1;
+			fi
+		fi
+		exit "${u}";
+		)
+
+		if [[ $? == 0 ]] ; then
+			source "${MODULES[i]}.sh"
+			MODULES[i]="${MODULES[i]##*/}"
+		else
+			unset MODULES[i]
+		fi
+	done
+
+	MODULES=( "${MODULES[@]}" )
+	return 0
+}
+
+# bool modules_check_installed(void)
+#
+# Ensure that all modules have the required modules loaded
+# This enables us to remove modules from the MODULES array
+# Whilst other modules can still explicitly call them
+# One example of this is essidnet which configures network
+# settings for the specific ESSID connected to as the user
+# may be using a daemon to configure wireless instead of our
+# iwconfig module
+modules_check_installed() {
+	local i j missingdeps nmods="${#MODULES[@]}"
+
+	for (( i=0; i<nmods; i++ )); do
+		is_function "${MODULES[i]}_instlled" || continue
+		for j in $( ${MODULES[i]}_instlled ); do
+			missingdeps=true
+			if is_function "${j}_check_installed" ; then
+				${j}_check_installed && missingdeps=false
+			elif is_function "${j}_depend" ; then
+				missingdeps=false
+			fi
+			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
+		done
+	done
+
+	MODULES=( "${MODULES[@]}" )
+	PROVIDES=( "${PROVIDES[@]}" )
+}
+
+# bool modules_check_user(void)
+modules_check_user() {
+	local iface="$1" ifvar=$(bash_variable "${IFACE}")
+	local i= j= k= l= nmods="${#MODULES[@]}"
+	local -a umods=()
+
+	# Has the interface got any specific modules?
+	umods="modules_${ifvar}[@]"
+	umods=( "${!umods}" )
+
+	# Global setting follows interface-specific setting
+	umods=( "${umods[@]}" "${modules[@]}" )
+
+	# Add our preferred modules
+	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
+	umods=( "${umods[@]}" "${pmods[@]}" )
+
+	# First we strip any modules that conflict from user settings
+	# So if the user specifies pump then we don't use dhcpcd
+	for (( i=0; i<${#umods[@]}; i++ )); do
+		# Some users will inevitably put "dhcp" in their modules
+		# list.  To keep users from screwing up their system this
+		# way, ignore this setting so that the default dhcp
+		# module will be used.
+		[[ ${umods[i]} == "dhcp" ]] && continue
+
+		# We remove any modules we explicitly don't want
+		if [[ ${umods[i]} == "!"* ]] ; then
+			for (( j=0; j<nmods; j++ )); do
+				[[ -z ${MODULES[j]} ]] && continue
+				if [[ ${umods[i]:1} == "${MODULES[j]}" \
+					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
+					# We may need to setup a class wrapper for it even though
+					# we don't use it directly
+					# However, we put it into an array and wrap later as
+					# another module may provide the same thing
+					${MODULES[j]}_check_installed \
+						&& WRAP_MODULES=(
+							"${WRAP_MODULES[@]}"
+							"${MODULES[j]} ${PROVIDES[j]}"
+						)
+					unset MODULES[j]
+					unset PROVIDES[j]
+				fi
+			done
+			continue
+		fi
+
+		if ! is_function "${umods[i]}_depend" ; then
+			# If the module is one of our preferred modules, then
+			# ignore this error; whatever is available will be
+			# used instead.
+			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
+
+			# The function may not exist because the modules software is
+			# not installed. Load the module and report its error
+			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
+				source "${MODULES_DIR}/${umods[i]}.sh"
+				is_function "${umods[i]}_check_installed" \
+					&& ${umods[i]}_check_installed true
+			else
+				eerror "The module \"${umods[i]}\" does not exist"
+			fi
+			return 1
+		fi
+
+		if is_function "${umods[i]}_provide" ; then
+			mod=$(${umods[i]}_provide)
+		else
+			mod="${umods[i]}"
+		fi
+		for (( j=0; j<nmods; j++ )); do
+			[[ -z ${MODULES[j]} ]] && continue
+			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
+				# We don't have a match - now ensure that we still provide an
+				# alternative. This is to handle our preferred modules.
+				for (( l=0; l<nmods; l++ )); do
+					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
+					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
+						unset MODULES[j]
+						unset PROVIDES[j]
+						break
+					fi
+				done
+			fi
+		done
+	done
+
+	# Then we strip conflicting modules.
+	# We only need to do this for 3rd party modules that conflict with
+	# our own modules and the preferred list AND the user modules
+	# list doesn't specify a preference.
+	for (( i=0; i<nmods-1; i++ )); do
+		[[ -z ${MODULES[i]} ]] && continue			
+		for (( j=i+1; j<nmods; j++)); do
+			[[ -z ${MODULES[j]} ]] && continue
+			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
+			&& unset MODULES[j] && unset PROVIDES[j]
+		done
+	done
+
+	MODULES=( "${MODULES[@]}" )
+	PROVIDES=( "${PROVIDES[@]}" )
+	return 0
+}
+
+# void modules_sort(void)
+#
+# Sort our modules
+modules_sort() {
+	local i= j= nmods=${#MODULES[@]} m=
+	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
+
+	# Make our provide list
+	for ((i=0; i<nmods; i++)); do
+		dead[i]="false"
+		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
+			local provided=false
+			for ((j=0; j<${#provide[@]}; j++)); do
+				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
+					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
+					provided=true
+				fi
+			done
+			if ! ${provided}; then
+				provide[j]="${PROVIDES[i]}"
+				provide_list[j]="${MODULES[i]}"
+			fi
+		fi
+	done
+
+	# Create an after array, which holds which modules the module at
+	# index i must be after
+	for ((i=0; i<nmods; i++)); do
+		if is_function "${MODULES[i]}_after" ; then
+			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
+		fi
+		if is_function "${MODULES[i]}_before" ; then
+			for m in $(${MODULES[i]}_before); do
+				for ((j=0; j<nmods; j++)) ; do
+					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
+						after[j]=" ${after[j]} ${MODULES[i]} "
+						break
+					fi
+				done
+			done
+		fi
+	done
+
+	# Replace the after list modules with real modules
+	for ((i=0; i<nmods; i++)); do
+		if [[ -n ${after[i]} ]] ; then
+			for ((j=0; j<${#provide[@]}; j++)); do
+				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
+			done
+		fi
+	done
+	
+	# We then use the below code to provide a topologial sort
+    module_after_visit() {
+        local name="$1" i= x=
+
+		for ((i=0; i<nmods; i++)); do
+			[[ ${MODULES[i]} == "$1" ]] && break
+		done
+
+        ${dead[i]} && return
+        dead[i]="true"
+
+        for x in ${after[i]} ; do
+            module_after_visit "${x}"
+        done
+
+        sorted=( "${sorted[@]}" "${MODULES[i]}" )
+		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
+    }
+
+	for x in ${MODULES[@]}; do
+		module_after_visit "${x}"
+	done
+
+	MODULES=( "${sorted[@]}" )
+	PROVIDES=( "${sortedp[@]}" )
+}
+
+# bool modules_check_depends(bool showprovides)
+modules_check_depends() {
+	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
+	local missingdeps= p= interface=false
+
+	for (( i=0; i<nmods; i++ )); do
+		if is_function "${MODULES[i]}_need" ; then
+			for needmod in $(${MODULES[i]}_need); do
+				missingdeps=true
+				for (( j=0; j<nmods; j++ )); do
+					if [[ ${needmod} == "${MODULES[j]}" \
+						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
+						missingdeps=false
+						break
+					fi
+				done
+				if ${missingdeps} ; then
+					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
+					return 1
+				fi
+			done
+		fi
+
+		if is_function "${MODULES[i]}_functions" ; then
+			for f in $(${MODULES[i]}_functions); do
+				if ! is_function "${f}" ; then
+					eerror "${MODULES[i]}: missing required function \"${f}\""
+					return 1
+				fi
+			done
+		fi
+
+		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
+
+		if ${showprovides} ; then
+			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
+			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
+		fi
+	done
+
+	if ! ${interface} ; then
+		eerror "no interface module has been loaded"
+		return 1
+	fi
+
+	return 0
+}
+
+# bool modules_load(char *iface, bool starting)
+#
+# Loads the defined handler and modules for the interface
+# Returns 0 on success, otherwise 1
+modules_load()  {
+	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
+	local -a x=()
+	local RC_INDENTATION="${RC_INDENTATION}"
+	local -a PROVIDES=() WRAP_MODULES=()
+
+	if ! is_loopback "${iface}" ; then
+		x="modules_force_${iface}[@]"
+		[[ -n ${!x} ]] && modules_force=( "${!x}" )
+		if [[ -n ${modules_force} ]] ; then
+			ewarn "WARNING: You are forcing modules!"
+			ewarn "Do not complain or file bugs if things start breaking"
+			report=true
+		fi
+	fi
+
+	veinfo "Loading networking modules for ${iface}"
+	eindent
+
+	if [[ -z ${modules_force} ]] ; then
+		modules_load_auto || return 1
+	else
+		j="${#modules_force[@]}"
+		for (( i=0; i<j; i++ )); do
+			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
+			if is_function "${modules_force[i]}_check_installed" ; then
+				${modules_force[i]}_check_installed || unset modules_force[i]
+			fi
+		done
+		MODULES=( "${modules_force[@]}" )
+	fi
+
+	j="${#MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		# Now load our dependencies - we need to use the MODULE variable
+		# here as the after/before/need functions use it
+		MODULE="${MODULES[i]}"
+		${MODULE}_depend
+
+		# expose does exactly the same thing as depend
+		# However it is more "correct" as it exposes things to other modules
+		# instead of depending on them ;)
+		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
+
+		# If no provide is given, assume module name
+		if is_function "${MODULES[i]}_provide" ; then
+			PROVIDES[i]=$(${MODULES[i]}_provide)
+		else
+			PROVIDES[i]="${MODULES[i]}"
+		fi
+	done
+
+	if [[ -n ${modules_force[@]} ]] ; then
+		# Strip any duplicate modules providing the same thing
+		j="${#MODULES[@]}"
+		for (( i=0; i<j-1; i++ )); do
+			[[ -z ${MODULES[i]} ]] && continue
+			for (( k=i+1; k<j; k++ )); do
+				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
+					unset MODULES[k]
+					unset PROVIDES[k]
+				fi
+			done
+		done
+		MODULES=( "${MODULES[@]}" )
+		PROVIDES=( "${PROVIDES[@]}" )
+	else
+		if ${starting}; then
+			modules_check_user "${iface}" || return 1
+		else
+			# Always prefer iproute2 for taking down interfaces
+			if is_function iproute2_provide ; then
+				function_wrap iproute2 "$(iproute2_provide)"
+			fi
+		fi
+	fi
+	
+	# Wrap our modules
+	j="${#MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
+	done
+	j="${#WRAP_MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		function_wrap ${WRAP_MODULES[i]}
+	done
+	
+	if [[ -z ${modules_force[@]} ]] ; then
+		modules_check_installed || return 1
+		modules_sort || return 1
+	fi
+
+	veinfo "modules: ${MODULES[@]}"
+	eindent
+
+	${starting} && p=true
+	modules_check_depends "${p}" || return 1
+	return 0
+}
+
+# bool iface_start(char *interface)
+#
+# iface_start is called from start.  It's expected to start the base
+# interface (for example "eth0"), aliases (for example "eth0:1") and to start
+# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
+# calling itself recursively.
+iface_start() {
+	local iface="$1" mod config_counter="-1" x config_worked=false
+	local RC_INDENTATION="${RC_INDENTATION}"
+	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
+	local ifvar=$(bash_variable "$1") i= j= metric=0
+
+	# pre Start any modules with
+	for mod in ${MODULES[@]}; do
+		if is_function "${mod}_pre_start" ; then
+			${mod}_pre_start "${iface}" || { eend 1; return 1; }
+		fi
+	done
+
+	x="metric_${ifvar}"
+	# If we don't have a metric then calculate one
+	# Our modules will set the metric variable to a suitable base
+	# in their pre starts.
+	if [[ -z ${!x} ]] ; then
+		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
+	fi
+
+	# We now expand the configuration parameters and pray that the
+	# fallbacks expand to the same number as config or there will be
+	# trouble!
+	a="config_${ifvar}[@]"
+	a=( "${!a}" )
+	for (( i=0; i<${#a[@]}; i++ )); do 
+		eval b=( $(expand_parameters "${a[i]}") )
+		config=( "${config[@]}" "${b[@]}" )
+	done
+
+	a="fallback_${ifvar}[@]"
+	a=( "${!a}" )
+	for (( i=0; i<${#a[@]}; i++ )); do 
+		eval b=( $(expand_parameters "${a[i]}") )
+		fallback=( "${fallback[@]}" "${b[@]}" )
+	done
+
+	# We don't expand routes
+	fallback_route="fallback_route_${ifvar}[@]"
+	fallback_route=( "${!fallback_route}" )
+	
+	# We must support old configs
+	if [[ -z ${config} ]] ; then
+		interface_get_old_config "${iface}" || return 1
+		if [[ -n ${config} ]] ; then
+			ewarn "You are using a deprecated configuration syntax for ${iface}"
+			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
+		fi
+	fi
+
+	# Handle "noop" correctly
+	if [[ ${config[0]} == "noop" ]] ; then
+		if interface_is_up "${iface}" true ; then
+			einfo "Keeping current configuration for ${iface}"
+			eend 0
+			return 0
+		fi
+
+		# Remove noop from the config var
+		config=( "${config[@]:1}" )
+	fi
+
+	# Provide a default of DHCP if no configuration is set and we're auto
+	# Otherwise a default of NULL
+	if [[ -z ${config} ]] ; then
+		ewarn "Configuration not set for ${iface} - assuming DHCP"
+		if is_function "dhcp_start" ; then
+			config=( "dhcp" )
+		else
+			eerror "No DHCP client installed"
+			return 1
+		fi
+	fi
+
+	einfo "Bringing up ${iface}"
+	eindent
+	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
+		# Handle null and noop correctly
+		if [[ ${config[config_counter]} == "null" \
+			|| ${config[config_counter]} == "noop" ]] ; then
+			eend 0
+			config_worked=true
+			continue
+		fi
+
+		# We convert it to an array - this has the added
+		# bonus of trimming spaces!
+		conf=( ${config[config_counter]} )
+		einfo "${conf[0]}"
+
+		# Do we have a function for our config?
+		if is_function "${conf[0]}_start" ; then
+			eindent
+			${conf[0]}_start "${iface}" ; x=$?
+			eoutdent
+			[[ ${x} == 0 ]] && config_worked=true && continue
+			# We need to test to see if it's an IP address or a function
+			# We do this by testing if the 1st character is a digit
+		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
+			x="0"
+			if ! is_loopback "${iface}" ; then
+				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
+					if arping_address_exists "${iface}" "${conf[0]}" ; then
+						eerror "${conf[0]%%/*} already taken on ${iface}"
+						x="1"
+					fi
+				fi
+			fi
+			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
+			eend "${x}" && config_worked=true && continue
+		else
+			if [[ ${conf[0]} == "dhcp" ]] ; then
+				eerror "No DHCP client installed"
+			else
+				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
+			fi
+		fi
+
+		if [[ -n ${fallback[config_counter]} ]] ; then
+			einfo "Trying fallback configuration"
+			config[config_counter]="${fallback[config_counter]}"
+			fallback[config_counter]=""
+
+			# Do we have a fallback route?
+			if [[ -n ${fallback_route[config_counter]} ]] ; then
+				x="fallback_route[config_counter]"
+				eval "routes_${ifvar}=( \"\${!x}\" )"
+				fallback_route[config_counter]=""
+			fi
+
+			(( config_counter-- )) # since the loop will increment it
+			continue
+		fi
+	done
+	eoutdent
+
+	# We return failure if no configuration parameters worked
+	${config_worked} || return 1
+
+	# Start any modules with _post_start
+	for mod in ${MODULES[@]}; do
+		if is_function "${mod}_post_start" ; then
+			${mod}_post_start "${iface}" || return 1
+		fi
+	done
+
+	return 0
+}
+
+# bool iface_stop(char *interface)
+#
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local iface="$1" i= aliases= need_begin=false mod=
+	local RC_INDENTATION="${RC_INDENTATION}"
+
+	# pre Stop any modules
+	for mod in ${MODULES[@]}; do
+		if is_function "${mod}_pre_stop" ; then
+			${mod}_pre_stop "${iface}" || return 1
+		fi
+	done
+
+	einfo "Bringing down ${iface}"
+	eindent
+
+	# Collect list of aliases for this interface.
+	# List will be in reverse order.
+	if interface_exists "${iface}" ; then
+		aliases=$(interface_get_aliases_rev "${iface}")
+	fi
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${iface}; do
+		# Stop all our modules
+		for mod in ${MODULES[@]}; do
+			if is_function "${mod}_stop" ; then
+				${mod}_stop "${i}" || return 1
+			fi
+		done
+
+		# A module may have removed the interface
+		if ! interface_exists "${iface}" ; then
+			eend 0
+			continue
+		fi
+
+		# We don't delete ppp assigned addresses
+		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
+			# Delete all the addresses for this alias
+			interface_del_addresses "${i}"
+		fi
+
+		# Do final shut down of this alias
+		if [[ ${IN_BACKGROUND} != "true" \
+			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
+			ebegin "Shutting down ${i}"
+			interface_iface_stop "${i}"
+			eend "$?"
+		fi
+	done
+
+	# post Stop any modules
+	for mod in ${MODULES[@]}; do
+		# We have already taken down the interface, so no need to error
+		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
+	done
+
+	return 0
+}
+
+# bool run_start(char *iface)
+#
+# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
+# Returns 0 (success) unless preup or iface_start returns 1 (failure).
+# Ignores the return value from postup.
+# We cannot check that the device exists ourselves as modules like
+# tuntap make create it.
+run_start() {
+	local iface="$1" IFVAR=$(bash_variable "$1")
+
+	# We do this so users can specify additional addresses for lo if they
+	# need too - additional routes too
+	# However, no extra modules are loaded as they are just not needed
+	if [[ ${iface} == "lo" ]] ; then
+		metric_lo="0"
+		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
+		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
+	elif [[ ${iface} == "lo0" ]] ; then
+		metric_lo0="0"
+		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
+		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
+	fi
+
+	# We may not have a loaded module for ${iface}
+	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
+	# so we can work with this
+	# However, if they do the same with eth1 and try to start it
+	# but eth0 has not been loaded then the module gets loaded as
+	# eth0.
+	# Not much we can do about this :(
+	# Also, we cannot error here as some modules - such as bridge
+	# create interfaces
+	if ! interface_exists "${iface}" ; then
+		/sbin/modprobe "${iface}" &>/dev/null
+	fi
+
+	# Call user-defined preup function if it exists
+	if is_function preup ; then
+		einfo "Running preup function"
+		eindent
+		( preup "${iface}" )
+		eend "$?" "preup ${iface} failed" || return 1
+		eoutdent
+	fi
+
+	# If config is set to noop and the interface is up with an address
+	# then we don't start it
+	local config=
+	config="config_${IFVAR}[@]"
+	config=( "${!config}" )
+	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
+		einfo "Keeping current configuration for ${iface}"
+		eend 0
+	else
+		# Remove noop from the config var
+		[[ ${config[0]} == "noop" ]] \
+			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
+
+		# There may be existing ip address info - so we strip it
+		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
+			&& ${IN_BACKGROUND} != "true" ]] ; then
+			interface_del_addresses "${iface}"
+		fi
+
+		# Start the interface
+		if ! iface_start "${iface}" ; then
+			if [[ ${IN_BACKGROUND} != "true" ]] ; then
+				interface_exists "${iface}" && interface_down "${iface}"
+			fi
+			eend 1
+			return 1
+		fi
+	fi
+
+	# Call user-defined postup function if it exists
+	if is_function postup ; then
+		# We need to mark the service as started incase a
+		# postdown function wants to restart services that depend on us
+		mark_service_started "net.${iface}"
+		end_service "net.${iface}" 0
+		einfo "Running postup function"
+		eindent
+		( postup "${iface}" )
+		eoutdent
+	fi
+
+	return 0
+}
+
+# bool run_stop(char *iface) {
+#
+# Brings down ${iface}.  If predown call returns non-zero, then
+# stop returns non-zero to indicate failure bringing down device.
+# In all other cases stop returns 0 to indicate success.
+run_stop() {
+	local iface="$1" IFVAR=$(bash_variable "$1") x
+
+	# Load our ESSID variable so users can use it in predown() instead
+	# of having to write code.
+	local ESSID=$(get_options ESSID) ESSIDVAR=
+	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
+
+	# Call user-defined predown function if it exists
+	if is_function predown ; then
+		einfo "Running predown function"
+		eindent
+		( predown "${iface}" )
+		eend $? "predown ${iface} failed" || return 1
+		eoutdent
+	elif is_net_fs / ; then
+		eerror "root filesystem is network mounted -- can't stop ${iface}"
+		return 1
+	elif is_union_fs / ; then
+		for x in $(unionctl "${dir}" --list \
+		| sed -e 's/^\(.*\) .*/\1/') ; do
+			if is_net_fs "${x}" ; then
+				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
+				return 1
+			fi
+		done
+	fi
+
+	iface_stop "${iface}" || return 1  # always succeeds, btw
+
+	# Release resolv.conf information.
+	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
+	
+	# Mark us as inactive if called from the background
+	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
+
+	# Call user-defined postdown function if it exists
+	if is_function postdown ; then
+		# We need to mark the service as stopped incase a
+		# postdown function wants to restart services that depend on us
+		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
+		end_service "net.${iface}" 0
+		einfo "Running postdown function"
+		eindent
+		( postdown "${iface}" )
+		eoutdent
+	fi
+
+
+	return 0
+}
+
+# bool run(char *iface, char *cmd)
+#
+# Main start/stop entry point
+# We load modules here and remove any functions that they
+# added as we may be called inside the same shell scope for another interface
+run() {
+	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
+	local starting=true
+	local -a MODULES=() mods=()
+	local IN_BACKGROUND="${IN_BACKGROUND}"
+
+	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
+		IN_BACKGROUND=true
+	else
+		IN_BACKGROUND=false
+	fi
+
+	# We need to override the exit function as runscript.sh now checks
+	# for it. We need it so we can mark the service as inactive ourselves.
+	unset -f exit
+
+	eindent
+	[[ ${cmd} == "stop" ]] && starting=false
+
+	# We force lo to only use these modules for a major speed boost
+	if is_loopback "${iface}" ; then	
+		modules_force=( "iproute2" "ifconfig" "system" )
+	fi
+
+	if modules_load "${iface}" "${starting}" ; then
+		if [[ ${cmd} == "stop" ]] ; then
+			# Reverse the module list for stopping
+			mods=( "${MODULES[@]}" )
+			for ((i = 0; i < ${#mods[@]}; i++)); do
+				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
+			done
+
+			run_stop "${iface}" && r=0
+		else
+			# Only hotplug on ethernet interfaces
+			if [[ ${IN_HOTPLUG} == 1 ]] ; then
+				if ! interface_is_ethernet "${iface}" ; then
+					eerror "We only hotplug for ethernet interfaces"
+					return 1
+				fi
+			fi
+
+			run_start "${iface}" && r=0
+		fi
+	fi
+
+	if [[ ${r} != "0" ]] ; then
+		if [[ ${cmd} == "start" ]] ; then
+			# Call user-defined failup if it exists
+			if is_function failup ; then
+				einfo "Running failup function"
+				eindent
+				( failup "${iface}" )
+				eoutdent
+			fi
+		else
+			# Call user-defined faildown if it exists
+			if is_function faildown ; then
+				einfo "Running faildown function"
+				eindent
+				( faildown "${iface}" )
+				eoutdent
+			fi
+		fi
+		[[ ${IN_BACKGROUND} == "true" ]] \
+			&& mark_service_inactive "net.${iface}"
+	fi
+
+	return "${r}"
+}
+
+# bool start(void)
+#
+# Start entry point so that we only have one function
+# which localises variables and unsets functions
+start() {
+	declare -r IFACE="${SVCNAME#*.}"
+	einfo "Starting ${IFACE}"
+	run "${IFACE}" start
+}
+
+# bool stop(void)
+#
+# Stop entry point so that we only have one function
+# which localises variables and unsets functions
+stop() {
+	declare -r IFACE="${SVCNAME#*.}"
+	einfo "Stopping ${IFACE}"
+	run "${IFACE}" stop
+}
+
+# vim:ts=4
diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables
index cd7ba23ff..6ff11a424 100755
--- a/testing/hosts/carol/etc/init.d/iptables
+++ b/testing/hosts/carol/etc/init.d/iptables
@@ -25,6 +25,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index 6f1097e9e..af5c71b32 100755
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
index cd7ba23ff..6ff11a424 100755
--- a/testing/hosts/dave/etc/init.d/iptables
+++ b/testing/hosts/dave/etc/init.d/iptables
@@ -25,6 +25,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
index 25c18ad5e..7d343d857 100644
--- a/testing/hosts/default/etc/hosts
+++ b/testing/hosts/default/etc/hosts
@@ -16,6 +16,7 @@
 10.1.0.20	venus.strongswan.org	venus
 10.1.0.1	moon1.strongswan.org	moon1
 192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
 192.168.0.100	carol.strongswan.org	carol
 10.3.0.1	carol1.strongswan.org	carol1
 192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
@@ -41,6 +42,7 @@ ff02::1:ff00:15	ip6-mcast-15
 ff02::1:ff00:20	ip6-mcast-20
 
 # IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
 fec1::10	ip6-alice.strongswan.org    ip6-alice
 fec1::20	ip6-venus.strongswan.org    ip6-venus
 fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables
index 7f46267c2..f5fa80b26 100755
--- a/testing/hosts/moon/etc/init.d/iptables
+++ b/testing/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index b26f81911..9512fb7e5 100755
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
index 1dd268719..0c2afd2c2 100755
--- a/testing/scripts/build-hostconfig
+++ b/testing/scripts/build-hostconfig
@@ -83,8 +83,12 @@ do
         searchandreplace PH_IP6_SUN  $ipv6_sun  $HOSTCONFIGDIR
         ;;
     alice)
-        searchandreplace PH_IP_ALICE  $ipv4_alice $HOSTCONFIGDIR
-        searchandreplace PH_IP6_ALICE $ipv6_alice $HOSTCONFIGDIR
+        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_ALICE1 $ipv4_alice1 $HOSTCONFIGDIR
+        searchandreplace PH_IP_ALICE  $ipv4_alice  $HOSTCONFIGDIR
+        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $HOSTCONFIGDIR
+        searchandreplace PH_IP6_ALICE  $ipv6_alice  $HOSTCONFIGDIR
         ;;
     venus)
         searchandreplace PH_IP_VENUS  $ipv4_venus $HOSTCONFIGDIR
diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches
index c9cafafc1..aab82b8ff 100755
--- a/testing/scripts/start-switches
+++ b/testing/scripts/start-switches
@@ -31,7 +31,7 @@ do
 	cecho " * Great, umlswitch$n is already running!"
     else
 	cecho-n " * Starting umlswitch$n.."
-	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
+	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null 2>&1 </dev/null &
 	sleep 2
 	eval ifconfig "tap$n \$IFCONFIG_$n up"
 	cecho "\033[1;32mdone"
diff --git a/testing/testing.conf b/testing/testing.conf
index 85807d0a6..8c97cc3a4 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -17,11 +17,11 @@
 # RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $
 
 # Root directory of testing
-UMLTESTDIR=/home/strongswan-testing
+UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.21.1.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.21.5.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@@ -30,10 +30,11 @@ KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 KERNELCONFIG=$UMLTESTDIR/.config-2.6.21
 
 # Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
+# (not needed anymore for 2.6.9 kernel or higher)
+#UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.1.3.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.1.4.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -41,7 +42,7 @@ USE_LDAP="yes"
 USE_LEAK_DETECTIVE="no"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20061006.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20070702.tar.bz2
 
 # Size of the finished root filesystem in MB
 ROOTFSSIZE=544
@@ -55,7 +56,7 @@ MEM=96
 BUILDDIR=$UMLTESTDIR/umlbuild
 
 # Filename of the built UML Kernel
-UMLKERNEL=$UMLTESTDIR/linux
+UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
 
 # Directory where test results will be stored
 TESTRESULTSDIR=$UMLTESTDIR/testresults
@@ -72,22 +73,22 @@ TZUML="Europe/Zurich"
 # Enable particular steps in the make-testing and
 # start-testing scripts
 #
-ENABLE_BUILD_UMLKERNEL="no"
+ENABLE_BUILD_UMLKERNEL="yes"
 ENABLE_BUILD_SSHKEYS="yes"
 ENABLE_BUILD_HOSTCONFIG="yes"
 ENABLE_BUILD_UMLROOTFS="yes"
 ENABLE_BUILD_UMLHOSTFS="yes"
-ENABLE_START_TESTING="no"
-ENABLE_DO_TESTS="no"
+ENABLE_START_TESTING="yes"
+ENABLE_DO_TESTS="yes"
 ENABLE_STOP_TESTING="no"
 
 ##############################################################
 # How to start the UMLs?
 #
 # Start the UML instance in KDE konsole (requires KDE)
-#UMLSTARTMODE="gnome-terminal"
+UMLSTARTMODE="konsole"
 # Start the UML instance in an xterm (requires X11R6)
-UMLSTARTMODE="xterm"
+# UMLSTARTMODE="xterm"
 # Start the UML instance without a terminal window
 # but screen -r <host> can open a window anytime
 # UMLSTARTMODE="screen"
@@ -100,7 +101,7 @@ SELECTEDTESTSONLY="no"
 
 # Tests to do if $SELECTEDTESTSONLY is set "yes".
 #
-SELECTEDTESTS="ikev2-net2net ikev2-rw"
+SELECTEDTESTS="ikev2/rw-cert"
 
 ##############################################################
 # hostname and corresponding IPv4 and IPv6 addresses
@@ -109,7 +110,7 @@ SELECTEDTESTS="ikev2-net2net ikev2-rw"
 # Also don't use IPs ending with 254, they are reserved!
 #
 HOSTNAMEIPV4="\
-alice,10.1.0.10 \
+alice,10.1.0.10,192.168.0.50 \
 venus,10.1.0.20 \
 moon,192.168.0.1,10.1.0.1 \
 carol,192.168.0.100,10.3.0.1 \
@@ -119,7 +120,7 @@ sun,192.168.0.2,10.2.0.1 \
 bob,10.2.0.10"
 
 HOSTNAMEIPV6="\
-alice,fec1::10 \
+alice,fec1::10,fec0::5 \
 venus,fec1::20 \
 moon,fec0::1,fec1::1 \
 carol,fec0::10,fec3::1 \
@@ -153,7 +154,8 @@ IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
 ##############################################################
 # Network interfaces of the UML instances
 #
-SWITCH_alice="eth0=daemon,fe:fd:0a:01:00:0a,unix,/tmp/umlswitch1"
+SWITCH_alice="eth0=daemon,fe:fd:0a:01:00:0a,unix,/tmp/umlswitch1 \
+              eth1=daemon,fe:fd:c0:a8:00:32,unix,/tmp/umlswitch0"
 SWITCH_venus="eth0=daemon,fe:fd:0a:01:00:14,unix,/tmp/umlswitch1"
 SWITCH_moon="eth0=daemon,fe:fd:c0:a8:00:01,unix,/tmp/umlswitch0 \
              eth1=daemon,fe:fd:0a:01:00:01,unix,/tmp/umlswitch1"
@@ -163,7 +165,3 @@ SWITCH_dave="eth0=daemon,fe:fd:c0:a8:00:c8,unix,/tmp/umlswitch0"
 SWITCH_sun="eth0=daemon,fe:fd:c0:a8:00:02,unix,/tmp/umlswitch0 \
             eth1=daemon,fe:fd:0a:02:00:01,unix,/tmp/umlswitch2"
 SWITCH_bob="eth0=daemon,fe:fd:0a:02:00:0a,unix,/tmp/umlswitch2"
-
-
-
-
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index 5d78605e9..a42c7a5bd 100755
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index 841a67491..340b1a176 100755
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
index b72a3e939..57c41b521 100755
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,6 @@ conn %default
 	ikelifetime=60m
 	keylife=20m
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 04d5b977b..175349c41 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 80163ffcd..89dbee0af 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_256!
 
diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 09cd583b4..b050f022a 100755
--- a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index ca1eb7b19..75830f043 100755
--- a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_256!
 
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
index 7c1ee3bb5..40d31c0ac 100755
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
index 7d00b538f..1461f7933 100755
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha1-modp1536!
 	esp=aes128-sha!
 
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
index b10fb08b9..0c5980ed3 100755
--- a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=aes128-sha2_256-modp1536!
 	esp=aes128-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
index de832729b..1770e5313 100755
--- a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha2_256-modp1536!
 	esp=aes128-sha2_256!
 
diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 95ddeb2b8..71ed47519 100755
--- a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index 2d7904563..ba739f887 100755
--- a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_256!
 
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
index eae669641..cdd6929ff 100755
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
index 989784124..285dc7234 100755
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
index 6c16db587..a0250f597 100755
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index abf3049d8..45118094b 100755
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index 855718f5d..a370ca458 100755
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	compress=yes
 
 conn rw
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
index 59cbe67ba..98e7df65f 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
index 9a2efb73d..25906e890 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
index 40e32f14a..1bc6cf4fb 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
index eaaaa3f42..fdfff13f0 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
index 6b4650fb8..e0c758e74 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
index 143bace9a..d3603b7aa 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
index 93bd80758..d240302b6 100755
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
index 143bace9a..d3603b7aa 100755
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
index e64a8fb5a..6c2de2e1e 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
index 666fc0698..8d07e42ba 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
index 0ec9d47ed..307d0b6b4 100755
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
index ed1b40549..ce7afbaf3 100755
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn carol
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index 281293545..a50275d98 100755
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	dpdaction=clear
 	dpddelay=10
 	dpdtimeout=30
diff --git a/testing/tests/ikev1/dynamic-initiator/description.txt b/testing/tests/ikev1/dynamic-initiator/description.txt
new file mode 100644
index 000000000..319ed631d
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/description.txt
@@ -0,0 +1,12 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
+suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
+old tunnel first (simulated by iptables blocking IKE packets to and from
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). 
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
new file mode 100644
index 000000000..3105ae38c
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
+moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5a41744f6
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+
+MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
+DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
+sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
+waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
+QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
+zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
+iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
+1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
+cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
+OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
+kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
+QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
+MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
+iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
+zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
+6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
+DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
+IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
+mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
+GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
+LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
+CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
+r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
+YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
+tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2658293ac
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=%defaultroute
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=carol.strongswan.org
+	rightallowany=yes
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
new file mode 100644
index 000000000..c30a35edd
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -0,0 +1,11 @@
+dave::ipsec stop
+carol::ipsec stop
+dave::sleep 1
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
new file mode 100644
index 000000000..acb432172
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+carol::sleep 1
+carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::ipsec up moon
+dave::sleep 1
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-responder/description.txt b/testing/tests/ikev1/dynamic-responder/description.txt
new file mode 100644
index 000000000..76471a973
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/description.txt
@@ -0,0 +1,13 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
+the responder <b>carol</b> suddenly changes her IP address and restarts the connection to
+<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets
+to and from <b>carol</b> and starting the connection from host <b>dave</b> using
+<b>carol</b>'s identity). 
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat
new file mode 100644
index 000000000..391afaa42
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::moon.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
+moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5a41744f6
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+
+MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
+DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
+sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
+waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
+QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
+zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
+iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
+1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
+cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
+OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
+kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
+QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
+MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
+iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
+zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
+6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
+DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
+IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
+mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
+GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
+LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
+CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
+r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
+YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
+tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2658293ac
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=%defaultroute
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=carol.strongswan.org
+	rightallowany=yes
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
new file mode 100644
index 000000000..c30a35edd
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -0,0 +1,11 @@
+dave::ipsec stop
+carol::ipsec stop
+dave::sleep 1
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
new file mode 100644
index 000000000..a330b1074
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+moon::sleep 2
+moon::ipsec up carol
+moon::sleep 1
+carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::ipsec up moon
+dave::sleep 1
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt
new file mode 100644
index 000000000..56a1c0754
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/description.txt
@@ -0,0 +1,15 @@
+The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
+so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
+The ipsec starter resolves the fully-qualified hostname into the current IP address
+via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
+expected to change over time, the prefix '%' is used as an implicit alternative to the
+explicit <b>rightallowany=yes</b> option which will allow an IKE
+main mode rekeying to arrive from an arbitrary IP address under the condition that
+the peer identity remains unchanged. When this happens the old tunnel is replaced
+by an IPsec connection to the new origin.
+<p>
+In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
+<b>moon</b> which has a named connection definition for each peer. Although
+the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
+the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
+
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
new file mode 100644
index 000000000..f46a6a20b
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..41123c9d6
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..2ba4db724
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon
+	left=%defaultroute
+	leftsourceip=PH_IP_DAVE1
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale
new file mode 100644
index 000000000..ebff4ec25
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale
@@ -0,0 +1,67 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.110	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.220	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50c3a6a69
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=%defaultroute
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=%carol.strongswan.org
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=add
+
+conn dave
+	right=%dave.strongswan.org
+	rightid=dave@strongswan.org
+	rightsubnet=PH_IP_DAVE1/32
+	auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
new file mode 100644
index 000000000..65292daae
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -0,0 +1,10 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::sleep 1
+moon::ipsec stop
+moon::mv /etc/hosts.ori /etc/hosts
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
new file mode 100644
index 000000000..6596a2527
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -0,0 +1,12 @@
+moon::mv /etc/hosts /etc/hosts.ori
+moon::mv /etc/hosts.stale /etc/hosts
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+dave::ipsec up moon
+carol::sleep 1
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
index 21f56705c..6af3a88ac 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
index 274a1aa18..e1bc08ee4 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
index 8c72a7b7f..8a9f033f1 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
index ccf8e91fa..fb0e59d86 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
index b8ef03cfe..feeef7901 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
index 3ac0bf4cf..be4c9aced 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index 7a8ae37c9..b939e4fda 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=aes-128-sha
 	esp=null-sha1!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 187a3fb17..9ca761cb5 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha!
 	esp=null-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 4ed2fb645..f61cfc6bb 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-sha
 	esp=3des-sha1
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index f8c27ad7c..5bf53b8bc 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index da86d14df..0ae6b0693 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-sha,aes-128-sha
 	esp=3des-sha1,aes-128-sha1
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index f8c27ad7c..5bf53b8bc 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
index b8ef03cfe..feeef7901 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
index 691b6b74f..147d8ffaa 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
index 10597bc58..b984b8d14 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_MOON
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
index 45121d967..bb409adcc 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_SUN
-	rightnexthop=%direct
 	rightcert=sunCert.pem
 	rightfirewall=yes
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index 44ac885ce..49c84d894 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn host-host
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index a89e799bd..e517b39cd 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn host-host
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
index 2bf2f8740..52fc94b51 100755
--- a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	esp=aes192-sha2_256!
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
index 5baf8f1d9..97e552a6a 100755
--- a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes192-sha2_384-modp4096!
 	esp=aes192-sha2_256!
 
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
index 8b1052f91..cf9309223 100755
--- a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	esp=aes256-sha2_256!
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
index 62b93c428..d47ad7696 100755
--- a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes256-sha2_512-modp8192!
 	esp=aes256-sha2_256!
 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 4ed2fb645..cbe5469f0 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -13,12 +13,12 @@ conn %default
 	keyingtries=1
 	ike=3des-sha
 	esp=3des-sha1
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 1a8b0b966..42e5f8404 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index da86d14df..b8e2257c4 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	esp=3des-sha1,aes-128-sha1
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 1a8b0b966..42e5f8404 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index db8cfd5c4..36a4e2fb1 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
index cc330b47f..469145fb8 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
index 3de856642..79be57226 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
index 3bcc0ff25..b019c5a33 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_CAROL
 	rightsourceip=%modeconfig
-	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
index 7933ef15a..5b38a2041 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_DAVE
 	rightsourceip=%modeconfig
-	rightnexthop=%direct
 	rightcert=daveCert.pem
 	rightid=dave@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
index 53b81a534..911531edb 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightsourceip=PH_IP_MOON1
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
index 2fd734579..57ec7040e 100755
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
index 128c4aa29..3179faa05 100755
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index 3367544eb..10ae2261b 100755
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 2917edd8a..cfdc692d7 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index 3c8227f19..fecce5efa 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 9b1d03320..994792f7d 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 2c645ead6..04a512eb7 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index dcf3c94c7..a9e648f5e 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index 93bd80758..d240302b6 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index ab336c3c8..fdca83e18 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index d6d32a39d..d4ce57333 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index 6156fadba..ea445522e 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index 6b4e37b35..cf952be47 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index 316cdaecc..0adb2593d 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 5838f5f2f..0e8e413e6 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index e47d453e4..1e00096c8 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftsendcert=ifasked
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
index 9637dcf06..82576bb2b 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-net
 	left=192.168.0.1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index 573069f75..ebd735a11 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn nat-t
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
index eb72ed85f..a54482489 100755
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
index 205f235c8..419adc2f2 100755
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index e095c0b7b..7302a423b 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index b21f863f5..7633f5c8b 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index a3536e2b2..5eedd9f28 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index 12e38962e..24bd66f53 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
index 466235099..eabb76bf7 100755
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
index e4c0614a1..18b18f3ea 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -9,7 +9,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
index d0c8752a3..3f2bc48c0 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -9,7 +9,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
index 95abd046a..e2e43cecd 100755
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 5b32ef007..9a1f0934b 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
index d9da3f78a..9b0c9b534 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
index fd950ecd5..5624f4fcf 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
index d9da3f78a..9b0c9b534 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/passthrough/description.txt b/testing/tests/ikev1/passthrough/description.txt
new file mode 100644
index 000000000..145c5b79c
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/description.txt
@@ -0,0 +1,6 @@
+All IP traffic from the subnet behind the gateway <b>moon</b> is tunneled
+to the gateway  <b>sun</b> using the 0.0.0.0/0 network mask. In order
+to prevent local subnet traffic from escaping through the tunnel, a
+passthrough policy for the 10.1.0.0/16 network is inserted on <b>moon</b>.
+A series of internal and external pings verifies the correct
+functioning of the setup.
diff --git a/testing/tests/ikev1/passthrough/evaltest.dat b/testing/tests/ikev1/passthrough/evaltest.dat
new file mode 100644
index 000000000..942222f08
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..557fb62eb
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+
+conn net-net
+	rightsubnet=0.0.0.0/0
+	rightid=@sun.strongswan.org
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftsourceip=10.1.0.1
+	leftfirewall=yes
+	lefthostaccess=yes
+	auto=add
+        
+conn pass
+	rightsubnet=10.1.0.0/16
+	type=passthrough
+	authby=never
+	auto=route
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9276f1f90
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=0.0.0.0/0
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/passthrough/posttest.dat b/testing/tests/ikev1/passthrough/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/passthrough/pretest.dat b/testing/tests/ikev1/passthrough/pretest.dat
new file mode 100644
index 000000000..2606db192
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables -I INPUT  -i eth1 -s 10.1.0.0/16 -j ACCEPT
+moon::iptables -I OUTPUT -o eth1 -d 10.1.0.0/16 -j ACCEPT
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/passthrough/test.conf b/testing/tests/ikev1/passthrough/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 0dc25b7bb..3adfdc0b8 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index 3b01128c2..e1ce14973 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
index 093f9b1fc..913e6d91a 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home-icmp
 	left=PH_IP_CAROL
-	leftnexthop=%direct
         leftid=carol@strongswan.org
 	leftcert=carolCert.pem
 	leftprotoport=icmp
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
index e64b3be7a..d941e81ef 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw-icmp
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftprotoport=icmp
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat
index 94a400606..d6f014882 100644
--- a/testing/tests/ikev1/protoport-pass/posttest.dat
+++ b/testing/tests/ikev1/protoport-pass/posttest.dat
@@ -1,4 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
+carol::ip route del 10.1.0.0/16 via PH_IP_MOON
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat
index 13b4ad4a0..37f545062 100644
--- a/testing/tests/ikev1/protoport-pass/pretest.dat
+++ b/testing/tests/ikev1/protoport-pass/pretest.dat
@@ -4,6 +4,7 @@ moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT
 carol::/etc/init.d/iptables start 2> /dev/null
 carol::iptables -I INPUT  -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT
 carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT
+carol::ip route add 10.1.0.0/16 via PH_IP_MOON
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
index 99b410c32..dfc0143ed 100755
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
index 3b01128c2..e1ce14973 100755
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
index e32aca0b9..6db69096b 100755
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=myCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
index 1e9a27129..f0e4036c0 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
index 05d209c44..864d014de 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn rw-carol 
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index 1e9a27129..f0e4036c0 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index beda12b3c..f3a6db107 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 8e27a9ecd..d76337996 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index f8ce5569c..025f335b2 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
index c62605bd0..980523a5e 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 conn home
 	authby=secret
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
index 4584e1408..d57d790d1 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index b142c75bb..08a41e612 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 conn home
 	authby=secret
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index 5916d8fd8..b8900c082 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
index 2abe3c147..dbfac50e2 100755
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 conn rw-psk
 	authby=secret
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
index 93ea3a80e..db281ef80 100755
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
index 98b0030d8..f3c2be9a1 100755
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn carol
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.der
 	leftid=@moon.strongswan.org
 	leftsendcert=never
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
index b58d1deb7..cd751df3d 100755
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -30,7 +30,6 @@ conn rw
 
 conn moon
 	left=PH_IP_MOON
-        leftnexthop=%direct
         leftcert=moonCert.pem
         leftid=@moon.strongswan.org
         leftfirewall=yes
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
index 09f3bb94d..e78231f0c 100755
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
@@ -30,7 +30,6 @@ conn rw
 
 conn moon
 	left=PH_IP_MOON
-        leftnexthop=%direct
         leftcert=moonCert.pem
         leftid=@moon.strongswan.org
         leftfirewall=yes
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
index 2fd734579..57ec7040e 100755
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
index 128c4aa29..3179faa05 100755
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
index 81d1ae8b6..a2af4e9f8 100755
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-sha384.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
index 468be8afb..e48b1a78c 100755
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert-sha512.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index 7aed142a4..b9710cb14 100755
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert-sha256.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
index f4f2dedd0..b4ad3c011 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_CAROL
 	rightsourceip=PH_IP_CAROL1
-	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
index de7f07eb9..eafcf5e55 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn rw
 	right=PH_IP_MOON
 	rightsourceip=PH_IP_MOON1
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index a863df33e..71aa4decf 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=PH_IP_CAROL1
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index c0310692a..471e9e833 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn rw
 	left=PH_IP_MOON
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
index d6d32a39d..d4ce57333 100755
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
index 6156fadba..ea445522e 100755
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
index 162e22c43..8952bc92f 100755
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
index 665ce592f..30b657662 100755
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn system
 	left=PH_IP_ALICE
 	leftprotoport=tcp/ssh
-	leftnexthop=%direct
 	authby=never
 	type=passthrough
 	right=10.1.0.254
@@ -25,7 +24,6 @@ conn system
 
 conn wlan 
 	left=PH_IP_ALICE
-	leftnexthop=%direct
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
index 44f980422..ab3287aee 100755
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn venus
 
 conn wlan
         left=PH_IP_MOON1
-	leftnexthop=%direct
 	leftsubnet=0.0.0.0/0
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
index 5d861548d..bb9897c79 100755
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn system
 	left=PH_IP_VENUS
 	leftprotoport=tcp/ssh
-	leftnexthop=%direct
 	authby=never
 	type=passthrough
 	right=10.1.0.254
@@ -25,7 +24,6 @@ conn system
 
 conn wlan 
 	left=PH_IP_VENUS
-	leftnexthop=%direct
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
index 3fd0ebf85..747f4b6bf 100644
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn home
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
index 8d20a5d20..0193c0512 100644
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
index 66f705e79..98598b04c 100644
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	xauth=server
 	left=PH_IP_MOON
 	leftid=@moon.strongswan.org
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 3e8ddf0fe..b5ec4c4af 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 9aee88cfe..a353e3f12 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index dfaa44521..c92ad8748 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
index d49bc1490..47bf1dafc 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
index 6a48cf6ee..f79a81a6f 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
index 90539650f..47928181f 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
index 19618145d..8c8cb4a2d 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
index eccdc2b70..1c48e13e7 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	authby=xauthrsasig
 	xauth=server
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index d49bc1490..47bf1dafc 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index 6a48cf6ee..f79a81a6f 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index d49bc1490..47bf1dafc 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 5c1de3372..1fcf71d5c 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index a997fb73f..ffbb13ec5 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
index 6e2cbd153..6894a952c 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_CAROL
 	rightsourceip=%config
-	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
index f148757db..cefbc8270 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_DAVE
 	rightsourceip=%config
-	rightnexthop=%direct
 	rightcert=daveCert.pem
 	rightid=dave@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
index 5cb49cfc8..8458724c6 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightsourceip=PH_IP_MOON1
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
index 4ea2b22f7..a19f6cfae 100755
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%config
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
index dad3f3440..1a89f4e5d 100755
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%config
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
index a4c4b3553..bafd1b155 100755
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
index cea581bc2..4d47c831c 100755
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
index fe2179885..9488a6822 100755
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
index 571459bae..999d0d183 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
@@ -25,6 +25,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow ldap crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
index 8b37ec6b8..26d34de47 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
index 8de514a2e..4f4f3228b 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow ldap crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
index 47a52b60b..1d2a68528 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
index 29b3c2a65..cbab29414 100755
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
index a1a9587dd..dd50c335b 100755
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
index 52e5c291d..fbb9cd7e9 100755
--- a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
index a9f6a4bb4..072c57c5b 100755
--- a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
index cea581bc2..4d47c831c 100755
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
index fe2179885..9488a6822 100755
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
index a4668d9ae..9574f18bb 100755
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
index 13ad3063f..5a262c084 100755
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
index b6a0e4990..5b2c4e3f4 100755
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn carol
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
index e5d9ad476..bcdb8641b 100755
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
index 97b5411bd..cdb40d72d 100755
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 	dpdaction=clear
 	dpddelay=10
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
index dff90e563..bfc8ac34c 100755
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
index 97b5411bd..cdb40d72d 100755
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 	dpdaction=clear
 	dpddelay=10
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
index 7c5b88a2c..631eac9b6 100755
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
index 97b5411bd..cdb40d72d 100755
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 	dpdaction=clear
 	dpddelay=10
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
index d00d8762d..25f8ce8b2 100755
--- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
index fca2cbdab..303a49152 100755
--- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
index 2d41690cc..ec9ac5b80 100755
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
index 7ffbf64ac..484eb995f 100755
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_SUN
-	leftnexthop=%direct
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
index 0c3dd7abe..981c7f073 100755
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_MOON
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
index bd510cc73..e3fc2b728 100755
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_SUN
-	rightnexthop=%direct
 	rightcert=sunCert.pem
 	rightid=@sun.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
index f957e5fb3..b80aa80c4 100755
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
index 52b605024..dd1811083 100755
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_SUN
-	leftnexthop=%direct
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/mobike-nat/description.txt b/testing/tests/ikev2/mobike-nat/description.txt
new file mode 100644
index 000000000..dd8a3a11a
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> is sitting behind the NAT router <b>moon</b> but
+at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
+in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
+goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
+via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. <b>alice</b> sets
+a virtual IP of PH_IP_ALICE, so that the IPsec policies don't have to be changed.
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
new file mode 100644
index 000000000..f6259cfb6
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -0,0 +1,16 @@
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::sleep 1::No output expected::NO
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP::YES
+bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice.strongswan.org.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..db18182a3
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e05356b39
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_ALICE1
+	leftsourceip=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..6944749be
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsourceip=%config
+	rightid=alice@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
new file mode 100644
index 000000000..cd0d4df25
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -0,0 +1,6 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
new file mode 100644
index 000000000..08c2be95c
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -0,0 +1,12 @@
+alice::/etc/init.d/net.eth1 start
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::conntrack -F
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up mobike
+alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
new file mode 100644
index 000000000..6467631e5
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="bob moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike-virtual-ip/description.txt b/testing/tests/ikev2/mobike-virtual-ip/description.txt
new file mode 100644
index 000000000..997c7f3e8
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> is sitting behind the router <b>moon</b> but
+at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
+in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
+goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
+via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. <b>alice</b> sets
+a virtual IP of PH_IP_ALICE, so that the IPsec policies don't have to be changed.
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..482cef866
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -0,0 +1,16 @@
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::sleep 1::No output expected::NO
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES
+moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES
+bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice.strongswan.org.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..db18182a3
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e05356b39
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_ALICE1
+	leftsourceip=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..64a659f4f
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_ALICE1
+	rightsourceip=%config
+	rightid=alice@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
new file mode 100644
index 000000000..32fdf0053
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
new file mode 100644
index 000000000..6666e7794
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -0,0 +1,10 @@
+alice::/etc/init.d/net.eth1 start
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+alice::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up mobike
+alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
new file mode 100644
index 000000000..6467631e5
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="bob moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike/description.txt b/testing/tests/ikev2/mobike/description.txt
new file mode 100644
index 000000000..3c780be9e
--- /dev/null
+++ b/testing/tests/ikev2/mobike/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> is sitting behind the router <b>moon</b> but
+at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
+in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
+goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
+via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. Since <b>alice</b> has
+not configured a virtual IP address the IPsec policies must be updated.
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
new file mode 100644
index 000000000..10bb37e42
--- /dev/null
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall::PH_IP_ALICE1/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE1/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::sleep 1::No output expected::NO
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES
+moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES
+bob::tcpdump::alice1.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice1.strongswan.org.*ICMP echo reply::YES
+bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice.strongswan.org.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..db18182a3
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..37e92cf5b
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_ALICE1
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..1367e784f
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_ALICE1
+	rightid=alice@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat
new file mode 100644
index 000000000..32fdf0053
--- /dev/null
+++ b/testing/tests/ikev2/mobike/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
new file mode 100644
index 000000000..6666e7794
--- /dev/null
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -0,0 +1,10 @@
+alice::/etc/init.d/net.eth1 start
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+alice::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up mobike
+alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
new file mode 100644
index 000000000..6467631e5
--- /dev/null
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="bob moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 466b08eae..39996cf42 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index d4b20453d..e25636a7d 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
index 8de514a2e..4f4f3228b 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow ldap crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index c342625af..46f1030cd 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 11dce322e..5c34528a4 100755
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index 52e5cd8cd..96e493719 100755
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index 9350d121e..a042da6d5 100755
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index 61574d1f0..9b331f0a9 100755
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
index 3f95ed506..174e248c2 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
index 082ed2974..5c90dd4a2 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
index 4561a52db..e1ee6e8d6 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftsendcert=ifasked
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/nat-one-rw/pretest.dat b/testing/tests/ikev2/nat-one-rw/pretest.dat
index ebd0c19e2..a4f5ecd79 100644
--- a/testing/tests/ikev2/nat-one-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-one-rw/pretest.dat
@@ -1,5 +1,6 @@
 alice::/etc/init.d/iptables start 2> /dev/null
 sun::/etc/init.d/iptables start 2> /dev/null
+moon::conntrack -F
 moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index c76e7ce92..d6b5d4d6f 100755
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn nat-t
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftfirewall=yes
-	leftnexthop=%direct
 	right=%any
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
index da51fa46a..55fe84bc3 100755
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
index bea0eeb08..063f23b29 100755
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn net-net
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
-	leftnexthop=%direct
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
index 8b8548815..fe75ede89 100755
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 
 conn net-net
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
index 091871e49..77abdcdd1 100755
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
index b2e41894c..ea55d2edb 100755
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn net-net
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
index 0209111ba..e2602f08a 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
index 21b48ef0c..119d14a42 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
index 86c9dca75..259997f5c 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
index 1613e72cf..0763d1734 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
index 98a0e9b81..b0e8336e6 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
index 3c685a839..ba9779cb5 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
index e2fabe0f5..b79c056ab 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
index be15f6ec5..0425d7cf4 100755
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-revoked.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 21b48ef0c..119d14a42 100755
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
index 0209111ba..e2602f08a 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
index 21b48ef0c..119d14a42 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
index f49fa9204..f8abd6b59 100755
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-ocsp.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
index a8a9f1e30..ce653cf08 100755
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
index cfde9714e..bce685c53 100755
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-ifuri.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
index 1cea9f47c..1ab63e84b 100755
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert-ifuri.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
index be96bd957..401e9b567 100755
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
index b53de16e4..d95a322bd 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-ocsp.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
index f3b19d292..394d94160 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
index cdc1560ae..ef24ea191 100755
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
index e759d1d79..fe657b4a6 100755
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
index 3c685a839..ba9779cb5 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
index e2fabe0f5..b79c056ab 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
index eda0ddf38..51971a13c 100755
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
index 0bc03380b..0d7e8db3f 100755
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
index 7f4e37bc2..d76a6ee17 100755
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
index 0bc03380b..0d7e8db3f 100755
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index e5d9ad476..bcdb8641b 100755
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 3c0014965..ea8bc92a7 100755
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index b8bc990cd..274521386 100755
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index 9a5087fff..6c821010a 100755
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
index 7b6e448b3..1af9be7f7 100755
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index a6270a67e..97edc9047 100755
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 0e3fe6962..5990f6875 100755
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
index 368c3c6fb..bdd50899a 100755
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index c38a2a59b..b99f43ef4 100755
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
index b23046668..150687104 100755
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
index 66734b543..2397d6d6d 100755
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
index a6270a67e..97edc9047 100755
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 10eeee9c1..78c33df12 100755
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
index ac99ac66c..e533b4b4e 100755
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index 7419be98a..004993d94 100755
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
         left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
         right=%any
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index 6a8253dc4..dc6f82923 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index 3c9e9a009..b09427d4c 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index b62ab4156..a3bf042d4 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
index 4ddd99280..a7b55db24 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-sha384.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
index 2b5407387..080073cd3 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert-sha512.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
index 9c0a14c9b..64d160f12 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert-sha256.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index e5d9ad476..bcdb8641b 100755
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
index 3c0014965..ea8bc92a7 100755
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index 86be51824..eb6feb6e2 100755
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
index 59d41eb27..043160a0f 100755
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
index 81e86e823..a01676be3 100755
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
index 366e1fa9a..0523d56dd 100755
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
-- 
cgit v1.2.3