Added libipsec/rw-suite-b scenario

32 files changed, 2693 insertions, 0 deletions

diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt
new file mode 100644
index 000000000..a1b09405a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b>
+certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption.
+The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP
+encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b>
+tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
new file mode 100644
index 000000000..855f201d3
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES 
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES
+dave:ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8106e28d2
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9b6ca682a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home 
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..733592087
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=%any
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..efa0575e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"