diff --git a/testing/tests/ikev2/crl-revoked/description.txt b/testing/tests/ikev2/crl-revoked/description.txt
index dcb6e5a90b..b39c59c974 100644
--- a/testing/tests/ikev2/crl-revoked/description.txt
+++ b/testing/tests/ikev2/crl-revoked/description.txt
@@ -1,4 +1,4 @@
 By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. <b>carol</b> initiates
-the connection and presents a certificate that has been revoked by the
-current CRL.Therefore the IKE negotiation fails
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b>
+initiates the connection and presents a certificate that has been revoked by the
+current CRL causing the IKE negotiation to fail. 
diff --git a/testing/tests/ikev2/crl-strict/description.txt b/testing/tests/ikev2/crl-strict/description.txt
index 8024eb3d4e..b2b70906f5 100644
--- a/testing/tests/ikev2/crl-strict/description.txt
+++ b/testing/tests/ikev2/crl-strict/description.txt
@@ -1,2 +1,2 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
 both roadwarrior <b>carol</b> and gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
index 7d720a81a4..89597660f0 100755
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightcert=peerCert.der
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
index 34da3d685c..7e53917a6f 100755
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn carol
 	left=PH_IP_MOON
@@ -16,8 +17,7 @@ conn carol
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
 	right=%any
 	rightcert=peerCert.der
-	keyexchange=ikev2
 	auto=add
-
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
index 1e74411262..52b48b9ef3 100644
--- a/testing/tests/ikev2/default-keys/posttest.dat
+++ b/testing/tests/ikev2/default-keys/posttest.dat
@@ -1,5 +1,9 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index 416ffcb9fd..3e31e0e9e0 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -1,4 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
 carol::rm /etc/ipsec.secrets
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt
index 547fba7543..6be21bf8f0 100644
--- a/testing/tests/ikev2/host2host-cert/description.txt
+++ b/testing/tests/ikev2/host2host-cert/description.txt
@@ -1,3 +1,4 @@
 A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates.
+The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
index e15faa133c..5ace1ba644 100755
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -9,13 +9,14 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn host-host
 	left=PH_IP_MOON
 	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
index 311aa00efb..d127fda460 100755
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -9,13 +9,14 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn host-host
 	left=PH_IP_SUN
 	leftnexthop=%direct
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat
index dff181797e..52979508db 100644
--- a/testing/tests/ikev2/host2host-cert/posttest.dat
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
index 3cf9fe3d23..52a5196986 100644
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -1,3 +1,5 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
index b544d3a638..7a5c3a2ca8 100755
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -9,13 +9,14 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn host-host
 	right=PH_IP_MOON
 	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
+	rightfirewall=yes
 	left=PH_IP_SUN
 	leftid=@sun.strongswan.org
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
index db1e72ab45..9add2f1690 100755
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -9,13 +9,14 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn host-host
 	right=PH_IP_SUN
 	rightnexthop=%direct
 	rightcert=sunCert.pem
 	rightid=@sun.strongswan.org
+	rightfirewall=yes
 	left=PH_IP_MOON
 	leftid=@moon.strongswan.org
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat
index dff181797e..52979508db 100644
--- a/testing/tests/ikev2/host2host-swapped/posttest.dat
+++ b/testing/tests/ikev2/host2host-swapped/posttest.dat
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
index 3cf9fe3d23..52a5196986 100644
--- a/testing/tests/ikev2/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -1,3 +1,5 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-cert/description.txt b/testing/tests/ikev2/net2net-cert/description.txt
index 15c9e64989..7eea9192f7 100644
--- a/testing/tests/ikev2/net2net-cert/description.txt
+++ b/testing/tests/ikev2/net2net-cert/description.txt
@@ -1,4 +1,6 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
index 8fdb45ec12..a3213b9bf6 100755
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	
+	keyexchange=ikev2
+
 conn net-net 
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
index 32697a87a9..06bf64bd93 100755
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
         keyingtries=1
+	keyexchange=ikev2
 
 conn net-net 
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat
index 684275cba6..b434a9610e 100644
--- a/testing/tests/ikev2/net2net-cert/posttest.dat
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -1,5 +1,9 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
-sun::rm /etc/ipsec.d/crls/*
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
 moon::rm /etc/ipsec.d/crls/*
+sun::rm /etc/ipsec.d/crls/*
 
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
index 75324a1d06..0cd81d154f 100644
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 sun::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-route/description.txt b/testing/tests/ikev2/net2net-route/description.txt
index 7bd102e8b9..323f09555a 100644
--- a/testing/tests/ikev2/net2net-route/description.txt
+++ b/testing/tests/ikev2/net2net-route/description.txt
@@ -4,3 +4,6 @@ on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
 A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
 <b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
 leads to the automatic establishment of the subnet-to-subnet tunnel.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
index f456049fcd..b805c06200 100755
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn net-net
 	leftsubnet=10.1.0.0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
index 32697a87a9..06bf64bd93 100755
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
         keyingtries=1
+	keyexchange=ikev2
 
 conn net-net 
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat
index dff181797e..52979508db 100644
--- a/testing/tests/ikev2/net2net-route/posttest.dat
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
index 2665f4df60..2eef7de199 100644
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/ikev2/net2net-start/description.txt b/testing/tests/ikev2/net2net-start/description.txt
index b2b897cb40..f5320685eb 100644
--- a/testing/tests/ikev2/net2net-start/description.txt
+++ b/testing/tests/ikev2/net2net-start/description.txt
@@ -3,3 +3,6 @@ respectively, is automatically established by means of the setting
 <b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
 behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
 gateway <b>sun</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
index 66c77fdfef..a96cde3519 100755
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
@@ -9,12 +9,12 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 
 conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
+	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
index 32697a87a9..ec127a4876 100755
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
@@ -9,14 +9,16 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
         keyingtries=1
+	keyexchange=ikev2
 
 conn net-net 
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
+	leftnexthop=%direct
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat
index dff181797e..52979508db 100644
--- a/testing/tests/ikev2/net2net-start/posttest.dat
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -1,2 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
index 334465b8f0..6e41d52457 100644
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 sun::ipsec start
 sun::sleep 2
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-cert/description.txt b/testing/tests/ikev2/rw-cert/description.txt
index 89fcecf758..15b3822b5c 100644
--- a/testing/tests/ikev2/rw-cert/description.txt
+++ b/testing/tests/ikev2/rw-cert/description.txt
@@ -1,4 +1,6 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index 4733930145..a8eee1ffd8 100755
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -15,6 +15,7 @@ conn home
 	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 5d78605e94..1fb8203cec 100755
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -15,6 +15,7 @@ conn home
 	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 9a4f1af998..655c7c44fb 100755
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn rw
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
 	right=%any
 	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat
index 2a130b7bf2..5f72643b46 100644
--- a/testing/tests/ikev2/rw-cert/posttest.dat
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -1,6 +1,12 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
 moon::rm /etc/ipsec.d/crls/*
 carol::rm /etc/ipsec.d/crls/*
 dave::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
index b4340a759f..d917ec4f8b 100644
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -1,4 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
 moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
 dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl