diff --git a/testing/tests/ikev2/net2net-route-narrow/description.txt b/testing/tests/ikev2/net2net-route-narrow/description.txt
new file mode 100755
index 0000000000..03796e6574
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/description.txt
@@ -0,0 +1,11 @@
+A trap policy on gateway sun will trigger SAs to gateway moon
+that connec the subnets behind the two gateways. Based on the received traffic
+selector from the triggering packet, gateway moon narrows down the
+traffic selectors to one of two options.
+Subsequent pings issued by client bob behind gateway sun to
+alice and venus located behind gateway moon trigger the
+trap policy and lead to the automatic establishment of the subnet-to-subnet
+tunnels.
+
+The updown script automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-route-narrow/evaltest.dat b/testing/tests/ikev2/net2net-route-narrow/evaltest.dat
new file mode 100755
index 0000000000..a2b1bb5e5b
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/evaltest.dat
@@ -0,0 +1,21 @@
+sun::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8] === 10.1.0.10/32\[icmp/8]::YES
+sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8] === 10.1.0.20/32\[icmp/8]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/28]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.16/28]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/16]::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+sun::swanctl --rekey --child net-net
+sun::sleep 2
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+sun::swanctl --rekey --reauth --ike gw-gw
+sun::sleep 1
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/28]::YES
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.16/28]::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/strongswan.conf
new file mode 100755
index 0000000000..091aea5098
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce openssl pem pkcs1 revocation curl kernel-netlink socket-default updown vici
+ syslog {
+ daemon {
+ cfg = 2
+ }
+ }
+}
diff --git a/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000000..e2a766cf8b
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-1 {
+ local_ts = 10.1.0.0/28
+ remote_ts = 10.2.0.0/16
+
+ start_action = none
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ net-2 : connections.gw-gw.children.net-1 {
+ local_ts = 10.1.0.16/28
+ esp_proposals = aes128-sha256-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/strongswan.conf
new file mode 100755
index 0000000000..5b930b77da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce openssl pem pkcs1 revocation kernel-netlink socket-default updown vici
+ # delete rekeyed CHILD_SAs quickly so we can reauthenticate the IKE_SA
+ delete_rekeyed_delay = 1
+ syslog {
+ daemon {
+ cfg = 2
+ }
+ }
+}
diff --git a/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000000..010bc6b130
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ start_action = trap
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519,aes128-sha256-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/ikev2/net2net-route-narrow/posttest.dat b/testing/tests/ikev2/net2net-route-narrow/posttest.dat
new file mode 100755
index 0000000000..74b4f9bd7f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/posttest.dat
@@ -0,0 +1,5 @@
+sun::swanctl --terminate --ike gw-gw 2> /dev/null
+sun::systemctl stop strongswan
+moon::systemctl stop strongswan
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-route-narrow/pretest.dat b/testing/tests/ikev2/net2net-route-narrow/pretest.dat
new file mode 100755
index 0000000000..c699b5e7c3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/pretest.dat
@@ -0,0 +1,9 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
+bob::ping -c 3 -W 1 -i 0.2 PH_IP_ALICE
+bob::sleep 0.5
+bob::ping -c 3 -W 1 -i 0.2 PH_IP_VENUS
diff --git a/testing/tests/ikev2/net2net-route-narrow/test.conf b/testing/tests/ikev2/net2net-route-narrow/test.conf
new file mode 100755
index 0000000000..474ca40781
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route-narrow/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1