testing: Reorganizing IKEv1 and IKEv2 examples

For documentation purposes the new folders ikev1-algs, ikev2-algs,
ikev1-multi-ca and ikev2-multi-ca have been created. Most of the
test cases have now been converted to the vici interface. The
remaining legacy stroke scenarios yet to be converted have been put
into the ikev2-stroke-bye folder.

For documentation purposes some legacy stroke scenarios will be kept
in the ikev1-stroke, ikev2-stroke and ipv6-stroke folders.

testing/tests/ikev1-algs/alg-3des-md5/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>3des-md5-modp1024</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev1-algs/alg-3des-md5/evaltest.dat

@@ -0,0 +1,8 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96 prf-alg=PRF_HMAC_MD5 dh-group=MODP_1024.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_MD5_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES

testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =3des-md5-modp1024
+         }
+      }
+      version = 1
+      proposals = 3des-md5-modp1024
+   }
+}

testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = 3des-md5-modp1024
+         }
+      }
+      version = 1
+      proposals = 3des-md5-modp1024
+   }
+}

testing/tests/ikev1-algs/alg-3des-md5/posttest.dat

@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan

testing/tests/ikev1-algs/alg-blowfish/description.txt

@@ -0,0 +1,5 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP encryption.
+<p/>
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.

testing/tests/ikev1-algs/alg-blowfish/evaltest.dat

@@ -0,0 +1,12 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_1536.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=BLOWFISH_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=BLOWFISH_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 192::YES

testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = blowfish128-sha256-modp1536
+         }
+      }
+      version = 1
+      proposals = blowfish128-sha256-modp1536
+   }
+}

testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = blowfish192-sha384-modp2048
+         }
+      }
+      version = 1
+      proposals = blowfish256-sha512-modp2048
+   }
+}

testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = blowfish192-sha384-modp2048,blowfish128-sha256-modp1536
+         }
+      }
+      version = 1
+      proposals = blowfish256-sha512-modp2048,blowfish128-sha256-modp1536
+   }
+}

testing/tests/ikev1-algs/alg-blowfish/posttest.dat

@@ -0,0 +1,3 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan

testing/tests/ikev1-algs/alg-blowfish/pretest.dat

@@ -0,0 +1,8 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home

testing/tests/ikev1-algs/alg-modp-subgroup/description.txt

@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using the <b>MODP Diffie-Hellman Groups 22, 23, and 24</b>
+with <b>Prime Order Subgroups</b>.
+<p/>
+<b>carol</b> proposes the DH groups MODP_2048_224 and MODP_1024_160 whereas
+<b>dave</b> proposes MODP_2048_224 and MODP_2048_256.
+Since <b>moon</b> does not support MODP_2048_224 the roadwarriors fall back to
+MODP_1024_160 and MODP_2048_256, respectively.
+<p/>
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.

testing/tests/ikev1-algs/alg-modp-subgroup/evaltest.dat

@@ -0,0 +1,10 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1024_160.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha1
+         }
+      }
+      version = 1
+      proposals = aes128-sha1-modp2048s224,aes128-sha1-modp1024s160
+   }
+}

testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals = aes128-sha256
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-modp2048s224,aes128-sha256-modp2048s256
+   }
+}

testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-sha1
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-modp2048s256,aes128-sha1-modp1024s160
+   }
+}

testing/tests/ikev1-algs/alg-modp-subgroup/posttest.dat

@@ -0,0 +1,3 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan

testing/tests/ikev1-algs/alg-modp-subgroup/pretest.dat

@@ -0,0 +1,8 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home

testing/tests/ikev1-algs/alg-sha256/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128-sha256-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev1-algs/alg-sha256/evaltest.dat

@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES

testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128-sha256-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128-sha256-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/ikev1-algs/alg-sha256/posttest.dat

@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan

testing/tests/ikev1-algs/alg-sha384/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes192-sha384-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev1-algs/alg-sha384/evaltest.dat

@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES

testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes192-sha384-x25519
+         }
+      }
+      version = 1
+      proposals = aes192-sha384-x25519
+   }
+}

testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes192-sha384-x25519
+         }
+      }
+      version = 1
+      proposals = aes192-sha384-x25519
+   }
+}

testing/tests/ikev1-algs/alg-sha384/posttest.dat

@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan

testing/tests/ikev1-algs/alg-sha384/pretest.dat

@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home

testing/tests/ikev1-algs/alg-sha384/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/ikev1-algs/alg-sha512/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes256-sha512-x25519</b>. The same cipher suite is used for IKE, too.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev1-algs/alg-sha512/evaltest.dat

@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES

testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes256-sha512-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}

testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes256-sha512-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}

testing/tests/ikev1-algs/alg-sha512/posttest.dat

@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan

testing/tests/ikev1-algs/alg-sha512/pretest.dat

@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home

testing/tests/ikev1-algs/alg-sha512/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/ikev1-algs/esp-alg-aes-ccm/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128ccm12-x25519</b> or alternatively <b>aes128ccm96-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev1-algs/esp-alg-aes-ccm/evaltest.dat

@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CCM_12 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES

testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes128ccm12-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes128ccm96-x25519
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/ikev1-algs/esp-alg-aes-ccm/posttest.dat

@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan

testing/tests/ikev1-algs/esp-alg-aes-ccm/pretest.dat

@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home

testing/tests/ikev1-algs/esp-alg-aes-ccm/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/ikev1-algs/esp-alg-aes-ctr/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes256ctr-aesxcbc-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev1-algs/esp-alg-aes-ctr/evaltest.dat

@@ -0,0 +1,7 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=256 integ-alg=AES_XCBC_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CTR encr-keysize=256 integ-alg=AES_XCBC_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ip xfrm state::rfc3686(ctr(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES

testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,25 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+            esp_proposals =aes256ctr-aesxcbc-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}

testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}

testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+            esp_proposals = aes256ctr-aesxcbc-x25519
+         }
+      }
+      version = 1
+      proposals = aes256-sha512-x25519
+   }
+}

testing/tests/ikev1-algs/esp-alg-aes-ctr/posttest.dat

@@ -0,0 +1,2 @@
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan

testing/tests/ikev1-algs/esp-alg-aes-ctr/pretest.dat

@@ -0,0 +1,5 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home

testing/tests/ikev1-algs/esp-alg-aes-ctr/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1

testing/tests/ikev1-algs/esp-alg-aes-gcm/description.txt

@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>aes128gcm16-x25519</b> or alternatively <b>aes128gcm128-x25519</b>.
+<p/>
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.