- import of strongswan-2.7.0

- applied patch for charon

715 files changed, 20349 insertions, 0 deletions

diff --git a/testing/INSTALL b/testing/INSTALL
new file mode 100644
index 000000000..dfe21cc04
--- /dev/null
+++ b/testing/INSTALL
@@ -0,0 +1,150 @@
+
+                 -------------------------------
+	          strongSwan UML - Installation
+                 -------------------------------
+
+
+Contents
+--------
+
+   1. Making the host system UML-capable
+   2. Installing the required files
+   3. Creating the UML testing environment
+
+
+1. Making the host system UML-capable
+   ----------------------------------
+
+   UML instances can be run on both Linux 2.4 and Linux 2.6 kernels.
+   If you are using a vanilla kernel from kernel.org then you must first
+   apply the host SKAS patch available from
+
+    http://www.user-mode-linux.org/~blaisorblade/patches/
+
+   and recompile and reboot your host kernel. Some Linux distributions as e.g.
+   SuSE already include the SKAS patch in their kernels.
+
+   You will also need the UML utilities (uml_mconsole and uml_switch)
+   available from
+
+   http://prdownloads.sourceforge.net/user-mode-linux/uml_utilities_20040406.tar.bz2
+
+   Many Linux distributions offer the UML utilities as a package.
+
+
+2. Installing the required files
+   -----------------------------
+
+First create a directory where you want the strongSwan UML testing environment
+to be located.The default directory is "~/strongswan-testing". If you choose a
+different location, please adapt the UMLTESTDIR variable in "testing.conf"
+accordingly.
+
+    mkdir ~/strongswan-testing
+
+Now copy the "testing" subdirectory coming with the strongSwan distribution to
+the UML testing environment:
+
+    cp -r testing ~/strongswan-testing
+   
+Next you need to copy several files into the ~/strongswan-testing directory that
+are required for the strongSwan testing environment:
+
+    * A vanilla Linux kernel on which the UML kernel will be based on.
+      We recommend the use of
+
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.16.9.tar.bz2
+
+    * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
+      to make the vanilla kernel UML-capable. For older kernels you'll find
+      a matching UML patch at
+
+      http://prdownloads.sourceforge.net/user-mode-linux/
+
+    * The matching .config file required to compile the UML kernel:
+
+      http://download.strongswan.org/uml/.config-2.6.16
+
+    * A gentoo-based UML file system (compressed size 130 MBytes) found at
+
+      http://download.strongswan.org/uml/gentoo-fs-20060330.tar.bz2
+
+    * The latest strongSwan distribution
+
+      http://download.strongswan.org/strongswan-2.7.0.tar.gz
+
+
+3. Creating the environment
+   ------------------------
+
+Now change into the testing subdirectory
+
+    cd ~/strongswan-testing/testing
+
+and make the UML testing environment:
+
+    ./make-testing <hosts>
+
+The "make-testing" script calls a series of subscripts which can be
+enabled or disabled individually by setting the corresponding flags
+in "testing.conf":
+
+    if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
+    then
+        scripts/build-umlkernel
+    fi
+
+builds an UML kernel out of the vanilla Linux kernel and the corresponding
+UML kernel patch.
+
+    if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
+    then
+        scripts/build-hostconfig
+    fi
+
+generates the default configurations for the UML hosts alice, venus, moon,
+carol, winnetou, dave, sun, and bob by replacing the wildcards PH_IP_ALICE,
+etc. by the actual IP addresses defined in "testing.conf".
+
+    if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
+    then
+        scripts/build-umlrootfs
+    fi
+
+takes the gentoo-based UML file system and compiles the latest strongSwan
+distribution into it.
+
+    if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
+    then
+        scripts/build-sshkeys
+    fi
+
+adds the common RSA public key of the UML instances to your ~/.ssh/known_hosts
+directory so that you can log onto the UML instances using ssh without typing
+in a password. The "scripts/build-sshkeys" script should only be run once.
+
+    if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
+    then
+        scripts/build-umlhostfs <hosts>
+    fi
+
+creates the customized UML file systems for the instances given as command line 
+arguments by adding the default host configurations to the UML root file system.
+If the "make-starting" scripts is called without any arguments then by default
+the UML file systems are created for the hosts alice, venus, moon, carol,
+winnetou, dave, sun, and bob. Each UML root file system has as size defined by
+the ROOTFSSIZE in testing.conf which by default is 544 MBytes. Thus all 8 UML
+hosts plus the master copy will require a total of 5 GBytes of disk space.
+
+    if [ $ENABLE_START_TESTING = "yes" ]
+    then
+       ./start-testing <hosts>
+    fi
+
+starts the automated testing. More details on the tests you'll find in the
+README document.
+
+-----------------------------------------------------------------------------
+
+This file is RCSID $Id: INSTALL,v 1.39 2006/04/24 16:58:03 as Exp $
+
diff --git a/testing/README b/testing/README
new file mode 100644
index 000000000..e1930a6e3
--- /dev/null
+++ b/testing/README
@@ -0,0 +1,160 @@
+
+                 ------------------------------------
+	          strongSwan UML - Running the Tests
+                 ------------------------------------
+
+
+Contents
+--------
+
+   1. Starting up the UML testing environment
+   2. Running the automated tests
+   3. Manual testing
+
+
+1. Starting up the UML testing environment
+   ---------------------------------------
+  
+When the strongSwan UML testing environment has been put into place by
+running the "make-testing" script then you are ready to start up the
+UML instances by calling
+
+    ./start-testing <hosts>
+    
+This main script first calls the subscript
+
+    scripts/start-switches
+
+that starts the three UML switches umlswitch0, umlswitch1, and umlswitch2
+which are connecting the UML instances among each other and via tun/tap
+devices also make them accessible from the host system.
+      
+Then depending on the setting of the UMLSTARTMODE variable defined
+in "testing.conf", the UML instances given on the command line are started
+up with different terminals:
+
+If you are running the KDE graphical environment then by setting
+
+    UMLSTARTMODE=konsole
+    
+the script
+
+    scripts/kstart-umls <hosts>
+     
+is called which starts up each of the UML instances defined by <hosts> in
+a KDE konsole. If
+
+    UMLSTARTMODE=xterm
+
+is set then
+ 
+    scripts/xstart-umls <hosts>
+    
+starts up the UML instances in an xterm each. And with the choice
+
+    UMLSTARTMODE=screen
+   
+the instances are started up by
+
+    scripts/start-umls <hosts>
+    
+in the background but the Linux command "screen -r <host>" can be used to
+connect a terminal to the UML instance <host> if desired.
+
+
+    if [ $ENABLE_DO_TESTS = "yes" ]
+    then
+        do-tests
+    fi
+
+either executes all the tests defined in the "testing/tests" directory
+if the variable SELECTEDTESTSONLY in "testing.conf" is set to "no" or the
+selected tests defined by the string in SELELECTEDTESTS if SELECTEDTESTSONLY
+is set to "yes".
+
+    if [ $ENABLE_STOP_TESTING = "yes" ]
+    then
+        stop-testing <hosts>
+    fi
+
+stops the both the UML switches and the UML instances designated by the
+<hosts> argument.
+
+
+2. Running the automated tests
+   ---------------------------
+
+The script
+
+    ./do-tests <testnames>
+
+runs the automated tests. With an empty <testnames> argument the tests
+as defined in "testing.conf" are executed, otherwise the tests enumerated
+by the <testnames> argument will be run as shown in the example below.
+
+    ./do-tests net2net-psk net2net-cert
+
+Each test is divided into the following phases:
+
+    * scripts/load-testconfig <testname>
+      loads the UML hosts with test specific settings if such are provided.
+      
+    * next the "pretest.dat" script found in each test directory is executed.
+      Among other commands, strongSwan is started on the IPsec hosts.
+
+    * the "evaltest.dat" script evaluates if the test has been successful.
+      
+    * the "posttest.dat" script terminates the test e.g. by stopping
+      strongSwan on the IPsec hosts.
+
+    * scripts/restore-defaults <testname>
+      restores the default settings on the UML hosts.
+
+The test results and configuration settings for all tests settings are stored
+in a folder labeled with the current date in the directory
+  
+    ~/strongswan-testing/testresults
+     
+the same results are also automatically transferred to the Apache server
+running on UML instance "winnetou" and can be accessed via the URL
+
+    http://192.168.0.150/testresults/
+
+
+3. Manual testing
+   --------------
+   
+The greates flexibility can be achieved with manual testing. Just set
+   
+    ENABLE_DO_TESTS="no"
+    ENABLE_STOP_TESTING="no"
+       
+in "testing.conf" and start the UML instances that you want to experiment with
+by calling
+
+    ./start-testing <hosts>
+    
+If you want to preload a test scenario with configurations differing from
+the default values, e.g. when using Preshared Keys then you can do this
+with the command
+
+    scripts/load-testconfig net2net-psk
+    
+You can then log onto any UML instance using its konsole, xterm or screen
+terminal as root with the default password
+
+    tuxmux
+    
+You can then execute any commands the UML instances, including changing
+and recompiling the strongSwan source code located in the /root directory.
+
+After you have finished testing, the default configuration settings can
+restored with the command
+
+    scripts/restore-defaults net2net-psk
+
+
+-----------------------------------------------------------------------------
+
+This file is RCSID $Id: README,v 1.2 2004/12/20 16:26:39 as Exp $
+
diff --git a/testing/do-tests b/testing/do-tests
new file mode 100755
index 000000000..ceddd72d8
--- /dev/null
+++ b/testing/do-tests
@@ -0,0 +1,458 @@
+#!/bin/bash
+# Automatically execute the strongSwan test cases
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: do-tests,v 1.20 2006/02/08 21:27:59 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/scripts/function.sh
+
+[ -f $DIR/testing.conf ] || die "Configuration file 'testing.conf' not found"
+[ -d $DIR/hosts ] || die "Directory 'hosts' not found"
+[ -d $DIR/tests ] || die "Directory 'tests' not found"
+
+source $DIR/testing.conf
+
+
+##############################################################################
+# test if UMLs have been built at all
+#
+
+[ -d $BUILDDIR ] || die "Directory '$BUILDDIR' does not exist. Please run 'make-testing'first."
+
+
+##############################################################################
+# take care of new path and file variables
+#
+
+[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
+
+TESTDATE=`date +%Y%m%d-%H%M`
+
+TODAYDIR=$TESTRESULTSDIR/$TESTDATE
+mkdir $TODAYDIR
+TESTRESULTSHTML=$TODAYDIR/index.html
+DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
+
+testnumber="0"
+failed_cnt="0"
+passed_cnt="0"
+
+
+##############################################################################
+# copy default tests to $BUILDDIR
+#
+
+TESTSDIR=$BUILDDIR/tests
+[ -d $TESTSDIR ] || mkdir $TESTSDIR
+rm -rf $TESTSDIR/*
+cp -rfp $DEFAULTTESTSDIR/* $TESTSDIR
+
+
+##############################################################################
+# assign IP for each host to hostname
+#
+
+for host in $STRONGSWANHOSTS
+do
+    eval ip_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`"
+    case $host in
+    moon)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_MOON $ip_moon $TESTSDIR
+        searchandreplace PH_IP1_MOON $ip1_moon $TESTSDIR
+        ;;
+    sun)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_SUN $ip_sun $TESTSDIR
+        searchandreplace PH_IP1_SUN $ip1_sun $TESTSDIR
+        ;;
+    alice)
+        searchandreplace PH_IP_ALICE $ip_alice $TESTSDIR
+        ;;
+    venus)
+        searchandreplace PH_IP_VENUS $ip_venus $TESTSDIR
+        ;;
+    bob)
+        searchandreplace PH_IP_BOB $ip_bob $TESTSDIR
+        ;;
+    carol)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_CAROL $ip_carol $TESTSDIR
+        searchandreplace PH_IP1_CAROL $ip1_carol $TESTSDIR
+        ;;
+    dave)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_DAVE $ip_dave $TESTSDIR
+        searchandreplace PH_IP1_DAVE $ip1_dave $TESTSDIR
+        ;;
+    winnetou)
+        searchandreplace PH_IP_WINNETOU $ip_winnetou $TESTSDIR
+        ;;
+    esac
+done
+
+
+##############################################################################
+# create header for the results html file
+#
+
+KERNEL_VERSION=`basename $KERNEL .tar.bz2`
+IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2`
+
+cat > $TESTRESULTSHTML <<@EOF
+<html>
+<head>
+  <title>strongSwan UML Testing</title>
+</head>
+<body>
+  <h2>strongSwan UML Testing</h2>
+  <table border="0" cellspacing="2">
+    <tr><td><b>Host:</b></td><td>`uname -a`</td></tr>
+    <tr><td><b>UML kernel: &nbsp;</b></td><td>$KERNEL_VERSION</td></tr>
+    <tr><td><b>IPsec:</b></td><td>$IPSEC_VERSION</td></tr>
+    <tr><td><b>Date:</b></td><td>$TESTDATE</td></tr>
+  </table>
+  <p>
+  <table border="0" width="500">
+    <thead align="left"><th>Number</th><th>Test</th><th>Result</th></thead>
+@EOF
+
+cecho "UML kernel: $KERNEL_VERSION"
+cecho "IPsec:      $IPSEC_VERSION"
+cecho "Date:       $TESTDATE"
+cecho ""
+
+
+##############################################################################
+# enter specific test directory
+#
+
+if [ $# -gt 0 ]
+then
+    TESTS=$*
+elif [ $SELECTEDTESTSONLY = "yes" ]
+then
+    # set internal field seperator
+    TESTS=$SELECTEDTESTS
+else
+    # set internal field seperator
+    TESTS="`ls $TESTSDIR`"
+fi
+
+for testname in $TESTS
+do
+    let "testnumber += 1"
+    cecho-n " $testnumber $testname.."
+    
+    if [ ! -d $TESTSDIR/${testname} ]
+    then
+	cecho "is missing..skipped"
+	continue
+    fi
+
+    [ -f $TESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
+    [ -f $TESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
+    [ -f $TESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
+    [ -f $TESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
+    [ -f $TESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
+
+    TESTRESULTDIR=$TODAYDIR/$testname
+    mkdir $TESTRESULTDIR
+    CONSOLE_LOG=$TESTRESULTDIR/console.log
+    touch $CONSOLE_LOG
+
+
+    ##########################################################################
+    # copy test specific configurations to uml hosts and clear auth.log files
+    #
+
+    $DIR/scripts/load-testconfig $testname
+    source $TESTSDIR/$testname/test.conf
+
+    
+    ##########################################################################
+    # run tcpdump in the background
+    #
+
+    if [ "$TCPDUMPHOSTS" != "" ]
+    then
+        echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
+
+        for host_iface in $TCPDUMPHOSTS
+        do
+	    host=`echo $host_iface | awk -F ":" '{print $1}'`
+	    iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
+	    tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &"
+            echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
+            ssh root@`eval echo \\\$ip_$host '$tcpdump_cmd'`
+	    eval TDUP_${host}="true"
+        done
+    fi
+
+    ##########################################################################
+    # execute pre-test commands
+    #
+
+    cecho-n "pre.."
+    echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
+
+    eval `awk -F "::" '{
+	if ($2 != "")
+	{
+	    printf("echo \"%s# %s\"; ", $1, $2)
+	    printf("ssh root@\044ip_%s \"%s\"; ", $1, $2)
+	    printf("echo;\n")
+	}
+    }' $TESTSDIR/${testname}/pretest.dat` >> $CONSOLE_LOG 2>&1
+
+
+    ##########################################################################
+    # stop tcpdump
+    #
+
+    function stop_tcpdump {
+        echo "${1}# killall tcpdump" >> $CONSOLE_LOG
+        eval ssh root@\$ip_${1} killall tcpdump
+        eval TDUP_${1}="false"
+	echo ""
+    }
+
+
+    ##########################################################################
+    # get and evaluate test results
+    #
+
+    cecho-n "test.."
+    echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
+
+    STATUS="passed"
+
+    eval `awk -F "::" '{
+	host=$1
+	command=$2
+	pattern=$3
+	hit=$4
+	if (command != "")
+	{
+	    if (command == "tcpdump")
+	    {
+		printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
+		printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
+		printf("ssh root@\044ip_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+	    }
+	    else
+	    {
+		printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
+		printf("ssh root@\044ip_%s %s | grep \"%s\"; ",  host, command, pattern)
+	    }
+	    printf("cmd_exit=\044?; ")
+	    printf("echo; ")
+	    printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
+	    printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
+	    printf("; then STATUS=\"failed\"; fi; \n")
+
+	}
+    }' $TESTSDIR/${testname}/evaltest.dat` >> $CONSOLE_LOG 2>&1
+
+
+    ##########################################################################
+    # set counters
+    #
+
+    if [ $STATUS = "failed" ]
+    then
+        let "failed_cnt += 1"
+    else
+        let "passed_cnt += 1"
+    fi
+
+
+    ##########################################################################
+    # log statusall and listall output
+    # get copies of ipsec.conf, ipsec.secrets
+    # create index.html for the given test case
+
+    cat > $TESTRESULTDIR/index.html <<@EOF
+<html>
+<head>
+  <title>Test $testname</title>
+</head>
+<body>
+<table border="0" width="600">
+  <tr><td>
+    <h2>Test $testname</h2>
+    <h3>Description</h3>
+@EOF
+
+    cat $TESTSDIR/${testname}/description.txt >> $TESTRESULTDIR/index.html
+
+    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <ul>
+      <li><a href="console.log">console.log</a></li>
+    </ul>
+    <img src="../images/$DIAGRAM" alt="$UMLHOSTS">
+@EOF
+
+
+    for host in $IPSECHOSTS
+    do
+	eval HOSTLOGIN=root@\$ip_${host}
+
+	for command in statusall listall
+	do
+	    ssh $HOSTLOGIN ipsec $command \
+		> $TESTRESULTDIR/${host}.$command 2>/dev/null
+	done
+
+	for file in ipsec.conf ipsec.secrets
+	do
+	    scp $HOSTLOGIN:/etc/$file \
+		$TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	done
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+    <ul>
+      <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
+      <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
+      <li><a href="$host.statusall">ipsec statusall</a></li>
+      <li><a href="$host.listall">ipsec listall</a></li>
+      <li><a href="$host.auth.log">auth.log</a></li>
+    </ul>
+@EOF
+
+    done
+
+    cat >> $TESTRESULTDIR/index.html <<@EOF
+  </td></tr>
+  <tr><td align="right">
+    <b><a href="../index.html">Back</a></b>
+  </td></tr>
+</table>
+</body>
+</html>
+@EOF
+
+
+    ##########################################################################
+    # execute post-test commands
+    #
+
+    cecho-n "post.."
+    echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
+
+    eval `awk -F "::" '{
+	if ($2 != "")
+	{
+	    printf("echo \"%s# %s\"; ", $1, $2)
+	    printf("ssh root@\044ip_%s \"%s\"; ", $1, $2)
+	    printf("echo;\n")
+	}
+    }' $TESTSDIR/${testname}/posttest.dat` >> $CONSOLE_LOG 2>&1
+
+
+    ##########################################################################
+    # get a copy of /var/log/auth.log
+    #
+
+    for host in $IPSECHOSTS
+    do
+	eval HOSTLOGIN=root@\$ip_${host}
+	ssh $HOSTLOGIN grep pluto /var/log/auth.log \
+	    > $TESTRESULTDIR/${host}.auth.log
+    done
+
+
+    ##########################################################################
+    # stop tcpdump if necessary
+    #
+
+    for host in $TCPDUMPHOSTS
+    do
+	if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
+	then
+	    echo "${host}# killall tcpdump" >> $CONSOLE_LOG
+	    eval ssh root@\$ip_$host killall tcpdump
+	    eval TDUP_${host}="false"
+	fi
+    done
+
+
+    ##########################################################################
+    # copy default host config back if necessary
+    #
+
+    $DIR/scripts/restore-defaults $testname
+
+
+    ##########################################################################
+    # write test status to html file
+    #
+
+    cecho "$STATUS"
+    if [ $STATUS = "passed" ]
+    then
+        COLOR="green"
+    else
+        COLOR="red"
+    fi
+
+    cat >> $TESTRESULTSHTML << @EOF
+  <tr>
+    <td>$testnumber</td>
+    <td><a href="$testname/">$testname</a></td>
+    <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
+  </tr>
+@EOF
+
+done
+
+
+##############################################################################
+# finish the results html file
+#
+
+cat >> $TESTRESULTSHTML << @EOF
+  </table>
+  <p>
+  <b>Passed: &nbsp; $passed_cnt</b><br>
+  <b>Failed: &nbsp; $failed_cnt</b><br>
+  <p>
+</body>
+</html>
+@EOF
+
+cecho ""
+cecho "Passed:   $passed_cnt"
+cecho "Failed:   $failed_cnt"
+cecho ""
+
+
+##############################################################################
+# copy the test results to the apache server
+#
+
+HTDOCS="/var/www/localhost/htdocs"
+
+cecho-n "Copying test results to winnetou.."
+ssh root@${ip_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
+scp -r $TODAYDIR root@${ip_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
+ssh root@${ip_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
+cecho "done"
+cecho ""
+cecho "The results are available in $TODAYDIR"
+cecho "or via the link http://$ip_winnetou/testresults/$TESTDATE"
diff --git a/testing/hosts/alice/etc/conf.d/hostname b/testing/hosts/alice/etc/conf.d/hostname
new file mode 100644
index 000000000..2012e0451
--- /dev/null
+++ b/testing/hosts/alice/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=alice
diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net
new file mode 100644
index 000000000..3070a46b1
--- /dev/null
+++ b/testing/hosts/alice/etc/conf.d/net
@@ -0,0 +1,11 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0"
+
+# For setting the default gateway
+#
+gateway="eth0/PH_IP1_MOON"
+
diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..1097ac5a4
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,74 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow NAT-T 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..d6cdbba7b
--- /dev/null
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem
new file mode 100644
index 000000000..e99ae8ec7
--- /dev/null
+++ b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
+GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
+FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
+6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
+v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
+KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
+60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
+2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
+AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
+D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
+CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
+6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
+JGhV
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem
new file mode 100644
index 000000000..045ef0405
--- /dev/null
+++ b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArsXK+QTXz+i6MJpN3wZcE04f4K+jLSJsnyPaw2wGt6sZLWWD
+FGzzNpV8r1+ixp27RRl5Ygew4qR7Dnjr2w++QorZIYYf6m77H7E7++5oQbgWWQC7
+yIYVYtDJwu3oEl9yrDsVPyvA24PXxdcFeY/uFFq+L9MQSVtVgds7uWbxPlbqFOv+
+xh12JIHtf39trskHLqXGYFxQDHluOKIctpb+WV5+SrKFzp3Dme89nYNyG8e/8da8
+sX1uy/FsGQdTT/P8ISxG4wEjsQ8QvivHdSqa4JQCqIwlNLcisNoiV8k4tZwqVuyc
+TqEenCa32gMH2JYFj1Z5lRIC0kYXDhvsUJm9DQIDAQABAoIBAEsjnnARNPeeBu5+
+aJxKD6v9Gpdu66ir9Cc3MwZxmzG7zcdGrWRKswX0nvaHF2Rsy+aZXSZYSCQosv81
+3bEAw7u4FkHjeDVCIZUujatyhEA89N6vAgzkGK2zNgsoXW4IuzRw8mGGXhQCSvIz
+z5bD2ofFu560D3x6V/jMWJENQQqbfWuD27OI+bZp92K2DGM6MoSbdNnd886F2oWR
+4pQfrwoxmSm7JFFARoe4t6pZPy4G+5jjnrhB3kblxONaV297nvSby9Ctfke7oOkM
+A3JpzNzEmrjjb2M8GKkYmbm6P+0ARdYIToD0sFpbRCdjJAKLadwNNnk2kijxPvQh
+HNHGy8ECgYEA2uD922oiNaIvBR+rJ/zRsJg7Dth+upGePiieOZdS0S/dZUFEXuK7
+PdLZOcelQP2fIFRdODLEpkkOii292Ej3zixgzu9QYSfCdhcOoeV+RiAC7XEBBMqc
+gFI1DdL91KGSmMNZ+B8yocA31pwQQsVFDUpvgqpA8fxsZkRI9oVSiOsCgYEAzGna
+At/Kk9AQfiM7fpjBygYUt1ZErHsPJhLPVXmqx7+FuB2+RQvTMBS4sRdG6yC4Kd1y
+CNIo83Yzv2IQGyNOCcGr60OPeqzTSQ6AUn7VxMY5EJZ880nfXBud7mj+CbyFi48V
+Sh2qziF18aUYm7z4eJCTpLlFjPzHcoU1ORM0U+cCgYEAzCWp4Kp/OdMJVBgThXpz
+AekavGAE43LKS2OLIGAZqG6iaryTToTe62zrms6xPYrQjlDhmXcQn5/oZc0AEukL
+6ErQCHKBX/y7jXU3+pyYSEO3N0t9DcEEc1M5lKlEgrwohT8/fQNsMB2edxacvApO
+u3S/yPmPFaTAXio2e2gicP0CgYEAp3PjM02PDu14RUypdTjAL7YxjErwcPdSXpc0
+H8pOm9mKOlyrPLbGJ3IiJnhyETW5iBovS4iWIXNoStSTaxfN2vI72rt6sz0WzJdD
+idD7X3oezzboXwjaIANDqkV6LhGwuLXa898/yCLjErRzZ0kzptiRCnT3w9pjrK3w
+/rN7v2sCgYAEwfgrwjb7+JUaSSaf6TlbM9/ZuTRBVN0OTQz2JVhokeAePeFjHzXt
+nzJI2ETYlIu6e1VaFzHb6dp84PzWfLV7Kk8hZqJeCQN4RmQ04oNBllWoOZPbN7oa
+8pAMk/DCsBxcM/GvnDQJlDVLQRyY64zJU8EI0rF1t+zosIyGtXom/A==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/alice/etc/ipsec.secrets b/testing/hosts/alice/etc/ipsec.secrets
new file mode 100644
index 000000000..5837fc7d7
--- /dev/null
+++ b/testing/hosts/alice/etc/ipsec.secrets
@@ -0,0 +1,9 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aliceKey.pem
+
+
+
+
+
+
diff --git a/testing/hosts/alice/etc/runlevels/default/net.eth0 b/testing/hosts/alice/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/alice/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname
new file mode 100644
index 000000000..bbf5a2ea6
--- /dev/null
+++ b/testing/hosts/bob/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=bob
diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net
new file mode 100644
index 000000000..09133acad
--- /dev/null
+++ b/testing/hosts/bob/etc/conf.d/net
@@ -0,0 +1,10 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0"
+
+# For setting the default gateway
+#
+gateway="eth0/PH_IP1_SUN"
diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables
new file mode 100755
index 000000000..7b8756b81
--- /dev/null
+++ b/testing/hosts/bob/etc/init.d/iptables
@@ -0,0 +1,74 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+			
+	# allow NAT-T 
+	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/bob/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
new file mode 100755
index 000000000..cdef4e042
--- /dev/null
+++ b/testing/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	left=%defaultroute
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsubnetwithin=10.1.0.0/16
+	auto=add
diff --git a/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem
new file mode 100644
index 000000000..199d3eee2
--- /dev/null
+++ b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY
+27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB
+fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg
+xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF
+ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E
+5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl
++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
+b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
+c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z
+TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq
+0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI
+5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN
+NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw
+7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE
+Mto=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem
new file mode 100644
index 000000000..42af98bb0
--- /dev/null
+++ b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwCWno0t/5SX0B4MNJ876LYEkEvHsv+rb28e7OUbFmNu8fSuc
+XeOGj67z9kKcqt+CF0WOrj5SKnlE0DexCqS61gsTDk9+seTdAqPSeVFkQXyQteNQ
+/vPtUcCff22hCHnKQr29Bnwzl9BlzeZbXCZPNoWYxOMtchwtRTe1d83UYMZpaLqT
+7qJ/l9205sjEPdzSpIOPAkBrarX8ENDKj4jlrvDAYXc7XzsrumltxIL4hYrYS3NN
+knjc5aagdzPBg31/pq9zlQ4YYQtjiPlUZWc8+ysSddw1EdipLy2UfAJOBOZUY5FJ
+02Hf39zkGMX4wvInVJo+aI0ehW9MdbbFf4Jc1wIDAQABAoIBAGbSP5jUiAYZfzKd
+4GZTDfFXz/QLXcN9bFV51ihaRNb9jyn0MmLTpGgzGP3Iu4l8vWKyqB154AI2jqpV
+gvnNGOX9Wx8nTwbnD5WgELs24M1iWRXcJLWp1m8PAsrv4WJlueRpIEPeJsWwkSnT
+gUQYg/8LEqsZXnJXvanym7sWe/Wkh8i/UyMQJv7zwS+TZ5qeKRfSVo8/9622Ppsh
+n+zKFKnTUhiICUHFed4qZWyVR6NVyuzIYjeQy+VmBa5AOzmF549Izg6llwNrvJ8g
+DiIKSdtblMrN5OlmTra8LGn2QmlETipRb+4qx+MasbVI8pM1VMMQtBGAJYjhpC51
+rX/RLLECgYEA/Qk9PlUfw2aTA7I6a93pcjhUFTnKFVe9RdrwY7mds5t7dOAPcRBj
+5wnIv+OhVszoEo/uOPrgWmBu3ifkmcpPTe4NREFEVA99NOadiJDI/7oAj/Is4c5t
+CEb/zHTqKtYMVDrjwhszuPD3m2KNIJ38y4gkkrWT071xQBciztWhvYUCgYEAwmXV
+DFoNagTrNhf7Ep5sUek0O3nXPXY/cYKnKhlloUP41ftLbNvZ02qBQ6zqxPHtjGlB
+5sPeRQMFbVbmyb+97oa3Mrui1TPiTa5IBPyD36Gg0nFx+xLeXTsy8O8leoFcq02D
+1SDSye+fEdj2uYr+f33CIknQHUR4/xkOikgSQasCgYEAzTjOHBzsGw25VLkbmtqr
+eIDo6SIqnS7BCsPsTeWAWuhSs9L5kyjI7dxIniEffIfJ/SwQ+NO4XHRz1ugiBv1H
+Xpwg1Gfe5BJ/6QTVZaqP6qBPzm+LKUTDt3/l/Uwhk8Zwz2vHx2lKhMei+rpuXbLl
+EaoEh5yPHZ87F9Dr4Tbw7AUCgYAjtFpmE2AlWdPtsofdypUwkjmStvUuh7ptWcbk
+N5fv/7EDdE1NKDAg4Y3uZSMVmy27PVXqUY1QdZaYl356DaqP1dRuEAJ/UDE/fUQj
+DlIWT/Re0pFRwQxwaUAY+oOStZHUsL8G9SliB43a1FO0jm/h8LIoZBBCX+ItUGfY
+RBZ+UwKBgCToB2oPwDfrfCkScNozV7GPfcmHTR5bvvpYgRMGyuE1hAwLIWW9V4u9
+1Bp1vCR/C4kiUSBpYsGXLRqJ1GURueQoEbREE4ZvkmNV+t40uX3Fd8/OchAGi934
+0jYmd3dvN4MtF7O02YwpBzuH/wAwdxK0iDbdv+KEZb7TLdL37IN1
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/bob/etc/ipsec.secrets b/testing/hosts/bob/etc/ipsec.secrets
new file mode 100644
index 000000000..b3a0af048
--- /dev/null
+++ b/testing/hosts/bob/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA bobKey.pem
+
+
+
+
+
diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/bob/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/carol/etc/conf.d/hostname b/testing/hosts/carol/etc/conf.d/hostname
new file mode 100644
index 000000000..d5101b924
--- /dev/null
+++ b/testing/hosts/carol/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=carol
diff --git a/testing/hosts/carol/etc/conf.d/net b/testing/hosts/carol/etc/conf.d/net
new file mode 100644
index 000000000..39470ad14
--- /dev/null
+++ b/testing/hosts/carol/etc/conf.d/net
@@ -0,0 +1,10 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_CAROL broadcast 192.168.0.255 netmask 255.255.255.0"
+
+# For setting the default gateway
+#
+gateway="eth0/192.168.0.254"
diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables
new file mode 100755
index 000000000..cd7ba23ff
--- /dev/null
+++ b/testing/hosts/carol/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/carol/etc/init.d/net.eth0 b/testing/hosts/carol/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/carol/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3228f4e16
--- /dev/null
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..0522355ce
--- /dev/null
+++ b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuBuEkgQI4IbI0njTrS6f/AG4noxCO2ErkIAQ+BdP+W9nKehL
+GF+5bmB4MILFB6zp1k95vrAlLgXl8feomgsz5nifXetmUITLIwGRwWW8rRo0Vj4B
+GzSbtqtRfwHs9+L03pYdNiA7hel4EcsmtlDP0BTRXdLStx79ZW5WOKJL9wmGuBKL
+uuXztCjWNg4D0/ToFlAuPR0U1xZasakqn+Fe8EXU5I/1vXmOyAyUIJYsmpeYtUoO
+0qAM8sllHX2YguGBwe9rHEPtytov0ZHhCZYtvSbzigAgjBrD7SelkkxgMwx5h461
+x6kJYKZHL5eaypxa7iu00K7TlbVGxeNhkQoGNwIDAQABAoIBAQCnhwq8H4XAYYWN
+17quJPYZR6uqQfDmvYX5yD8osXXpgNC8Fo92z2wZnxje86+8S0DA7bLXrMs4NM/H
+vVcjTTxd5LcHrHN+o0eBRCVQeXYVgfnL3EH/coCa2Qugaa0q589wV+Ke5Pek5AyJ
+DHXegmyHaNoW6Qcq8L0dtigpAq3jTLG5w/3QCo8DMDKOGNR3AJrFpDlS/gW3JXuL
+Tn+PUojoWO9W6joDGYDTi4eeYyfZSajzwZvzecEpez3vwKN0pupvHA6BJCR8Mzkq
+5EYIH0hvWLtBy8uiWRXTfu/ggoQI9/Z5hBWIQk71m23uMIBbkm+oDn/1fLSBcWfK
+cr9RyM+RAoGBANpWewy7xCbkRV/90bgBNkTZ9HeFsFsWOgFVyB1XwM2E/nOqdRJc
+rxFt5Qt63DaXB+2REn231EIrsIz/Xd+R9KDl+yZOCY/m/mL4oquTPurEGJPzZdgW
+X3kUOFW1pbfcMcmzSp1FPufI17JPiePtUb/q3C4RAjCKlnskHftEyK1pAoGBANfd
+eEN8UzoV/R3WsGNDNOecMdIVAX9aiGnkLLraP7CRZ1heCH5y+RV1RB98yppkJG31
+fw5F8a6GoomkMHWGqhzDzQacZQV8w7C6rDY0Bk5TF5vemvJTGlrydwodfMvcJj8Y
+KZrS7A0iS3GAAmM6VGr3THyscszfJTq0NwE3v4KfAoGAY7L1wVzENxYpb6nRZ/p1
+s37rGODdJNrDZfSrympVygMexeZiSx4zevv5iQJzKCJTJnIGRY35yLV2iwvY68wU
+LpyV0Gn2B9Xs93idn0c/hahBqN2N9dxRgFJxXwHxSEGuInJScfo6vVCC3hNf3cpy
+d/Zg0FBH9a5zBIv7fM9t63ECgYAosrSt5I68cNDcA1IWJOGgmS47cYJqxGLbtA1K
+3UMMwx08592qGXsktIs3dIuuOBs2MAbYZg9+3Btg3/fS8KS576CEEpBpTHCIrWky
+fvSBZ+EXngyQi2J4qyYOXijdNpBvbNrLOeEPSNv4di39D05DLITbLJgoUBnwy3Fj
+ZWNR+QKBgEKn19f5QWs/O1DPWBXfvCSc01cuSUx20a6Z3B6Lxj+7MuXBjVxPkGge
+kEaZnNzwgm+QQ1C51nIn9gY4LZx7OxMy0idEss76aRq4Lb7I6XakBrCQLQ9IiTkv
+gNOeJYGsQv7tkIWWRlBIXjSBGwT6HzTEfN5cvdHSDzARGFGjwYfK
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/carol/etc/ipsec.secrets b/testing/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..797f18a01
--- /dev/null
+++ b/testing/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
+
+
+
+
diff --git a/testing/hosts/carol/etc/runlevels/default/net.eth0 b/testing/hosts/carol/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/carol/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname
new file mode 100644
index 000000000..c3fabf331
--- /dev/null
+++ b/testing/hosts/dave/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=dave
diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net
new file mode 100644
index 000000000..db3753fb0
--- /dev/null
+++ b/testing/hosts/dave/etc/conf.d/net
@@ -0,0 +1,10 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0"
+
+# For setting the default gateway
+#
+gateway="eth0/192.168.0.254"
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
new file mode 100755
index 000000000..cd7ba23ff
--- /dev/null
+++ b/testing/hosts/dave/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/dave/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..76623491c
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..abd1554e5
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
+2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
+LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
+RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
+UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
+98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
+8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
+Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
+P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
+UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
+0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
+5qILUTmI
+-----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..1cbaa183f
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxmwplGOop4q+9f+kVnm3oHC1E5g0sUaqUTjQ8diEVBLhEuRC
+nO6rI0c+OV6Ko4ssAkEY2Ft931BBGOq+35x5O9AslJ1nmcq+7+A/9i4wTd7JgxOv
+2Wa88T8fsaYZVIoGDhf77eIFIltXTmea3J8Rvfnja0i+oFjTYNYrhEX5Uk25h1ek
+1ZhlNjxnXShmel36ln3QPuojotvqMqsOmh+LuIX14ScjEThDoS3QBVL81PVIsxF0
+qrJhDkqHUvb8qVSUWE22XMe9HvUO4NjIIR77UGOplYAcwMGpAwQrf/fJQJSg3l1z
+kKj3KgGUnNlYxvIBJpK9XbpvMLCcPAtpYihkRQIDAQABAoIBAQCQP7nKotjNVFSX
+Sg4Sv9H61XUOlaxY5GKVQZTE/P7WkBMIROEYbXoE35og4tYvJtILoX+KapkLa7Cn
+iKDSt1J7ZU/DitryNy6v/HsDYXjEY55jqEBC8CmTyKwl3fa0OtNEE7OWsKXC4FyM
+J02x7gJb9fqa1/udXnXtBEYGl0g1x/vDmuhLgKyq6eliTm/orAyjGK2KfRxu06eS
+YUZObr25wC7yDLHCBsWHGNVC7ZyxQoxcPOu9WNwlWYu92ZJMdf3+rIgZSeXxCn3U
+3CWAC9tL1HnKC/twbyWEc2Gy0lZaQSgTJzaRtKOlqBTc5Szb4l1ibmyeAA7NanXK
+wnUYfiZRAoGBAOWW0+4lzZhWOxK/cYwM5+eoI66MhPECFVK2sL8iC34BKGFRCrSd
+YS/nugWiAu30knIBrw8z9BN0gYEfiE/EZyP5TbjtabKDN28xQa1+bw9Sr+5g5TcR
+HFvZRkJWSYGoIuVO22eXUh+1hwx3KZP/UX6pwkrc2dxQLxNk0mo/BexPAoGBAN0/
+geik9GNIjbKwSPLvIIwcmO4TZja2RJy9NCTJOrJZFpCII6HvOiO0eYx3+So+KblG
+n4AUxrhi4jq1/mAA+VUt4B9ywKH8xzGwhno78dJ1lvydpuzXSTHOEgsWh9Kme05P
+syt/t1C0ZkWqOKsBGk1f7dU9IOWuOkpVUbbMX10rAoGBALp0S5lUyiu1nDQVljmP
+IadZPeE77ZttfbO2+sO++mZSumCOWItmZM9q+gApGwf1YBmGlI1cPBSwwZwD58gg
+UUM97IkLBpQbTKHY9uXXkIp5NLf7qSuXkdhmFFE7kmbiDbT83eK7Wc62tf7Bp9qx
+t5WOeGQkCCqMVC8D6n6uwDixAoGABV4jErfdzgLWnT01p98xVPTkqPIDitRFOeBF
+QZc4O1d5+quy4ZziNjeMs2G9w86aSIp0GDFo2NRdVLtRnpande+U/m5UShnN42C7
+AoAtz8NWlG5mvFxExFaRjX9QcEXlu/KnECkbE3Qs/wewNEXkk3f+VywSfkAJ3f/P
+6bVvot0CgYBA1B9SXYhclR3KNZJPRuTn9OQ/TqLmcCMN62dIhPW4WZo2ixZH3YdS
+PE/bYmYfZUPt7MnOSNSnuLKineIf1Dipz0gjuSyFGAs5DE+N+8GWYo00n+0e3TLL
+pcBj4nOdIVPTZ31IFeVbi06dCYmzLPAGDeLe1M1Z7fakNky1Wv+Sdg==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/dave/etc/ipsec.secrets b/testing/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..3fa796491
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem
+
+
+
+
diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/dave/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
new file mode 100644
index 000000000..b8bc8da66
--- /dev/null
+++ b/testing/hosts/default/etc/hosts
@@ -0,0 +1,34 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+PH_IP_ALICE	alice.strongswan.org	alice
+PH_IP_VENUS	venus.strongswan.org	venus
+PH_IP1_MOON	moon1.strongswan.org	moon1
+PH_IP_MOON	moon.strongswan.org	moon
+PH_IP_CAROL	carol.strongswan.org	carol
+PH_IP1_CAROL	carol1.strongswan.org	carol1
+PH_IP_WINNETOU	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+PH_IP_DAVE	dave.strongswan.org	dave
+PH_IP1_DAVE	dave1.strongswan.org	dave1
+PH_IP_SUN	sun.strongswan.org	sun
+PH_IP1_SUN	sun1.strongswan.org	sun1
+PH_IP_BOB	bob.strongswan.org	bob
+
+# IPV6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname
new file mode 100644
index 000000000..78e695337
--- /dev/null
+++ b/testing/hosts/moon/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=moon
diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net
new file mode 100644
index 000000000..7dec60ba5
--- /dev/null
+++ b/testing/hosts/moon/etc/conf.d/net
@@ -0,0 +1,11 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0"
+iface_eth1="PH_IP1_MOON broadcast 10.1.255.255 netmask 255.255.0.0"
+
+# For setting the default gateway
+#
+gateway="eth0/192.168.0.254"
diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..7f46267c2
--- /dev/null
+++ b/testing/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/moon/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/moon/etc/init.d/net.eth1
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a0e97e057
--- /dev/null
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=192.168.0.1
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=192.168.0.2
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..d8fbfa1c9
--- /dev/null
+++ b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
+ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F
+f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD
+v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+
+9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U
+esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX
+Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU
+XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
+ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
+AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g
+LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G
+CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec
+tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW
+EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h
+wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K
+iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW
+kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp
+-----END CERTIFICATE-----
diff --git a/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..89197a447
--- /dev/null
+++ b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAr64uEJrApxtDe28anlGU0IXJmf4sjeEbJh8BbIjnNOsaZ2ex
+W8fYM4vzrMFOihi/hX/T37zmN+mw02VPFdkGi99EUFF89yZRvo1Mj/c46pYbL1WE
+v3CJr6oKN7lJENGAg79kmn05WkHwTmjxRJTRD/x9mEosgel/NCHB7DjGKbJFaj2P
+O/ORXoYxfqcbskQivvR15nfolnZwtPbuKoCkWty9CGplN6tfwSv2n5BytiACDeGI
+DOxs3qR1Q9H+xMX/VHrCRHoeIQ2cEo3DM3cm62PVwccxqixjzhddvI6/ucHlGYgV
+vkc3gcP4LCtZ0j3rlzndpTyY0xo/uld2CuqomwIDAQABAoIBAECAVQ1npCA2lFo3
+erByB49f75sIhVc6NPuUGrO8uBbn0vPwUGAASdLzKW5eMvXlDDx5qFLXSjdxJ6kV
+4ymEWzDzsmNC5/zeJtkti9S30j/fCPAiF/Ep4oOKjOHUt4zjPqoglVFbdLk8yHwh
+b6Pcd73E2GAXq6uvDTMYydhvJ+KaozAfbXmQ9vf3HbneI6xmgAug209Cu+gpMspW
+4IunMMY/668neRmM7jh+4JNLMqJhCrmQpLkIlRux2yNFzxkF8RrqptGzaLf4KxNF
+rRRUThHUfWmB/EvggzJgUMuVA2Pa0bKNvBbbQuwPqXMxLHMGBjvJ8wimsLzJZeXL
+fgsyPKECgYEA5x//2cmlKL3LbprRpfSzVOPqM3OSeEqseQtPun9Gs7WNVZZVc/ZJ
+O2hjdc9qDGjak3lDSwVbYl8B1kqfGTTLB1sl2171aDJQOWdNV3WQtexUKEhC4Ewn
+yXEDoVGAXJtiCj34QYHjoMEHUqfabKyWKUcaK8hbMsOhYPOorfLXg9MCgYEAwpaP
+W68NJGu5Zxsdz62rOiPNb58cuoxLDZsJ1sMKJO7BdPIqTZ0oGNdgt5phyc3ROBSH
+cjqZdzpim1gXGm4ocGvwg3APNQN6DLBknJNZmHzPd7RLSz2UxhTHRTfHAltQPcmW
+cJVBHsrsS0QnvDndXfzLuLq12S6UZasR5eBdcxkCgYEAizBuOI6DdGG4nceG8lbH
+mRwY8xtq3h66d7skLMBxp9ByaVS76bYsrCZVn6Fl0EtlNuMUb52uRzPIO3F9FwUA
+MFHoHpC1YibKwYdAwKcAm07T7950x/eVDm+NLB2VHDBHfruLQogiubEF4/VKSaA2
+Xm1/iVaD9bJzAZw7vWY9/BkCgYB/Xe9uErGmgkB0BaLIuiNWxfKFOn+id4v01uNk
+yHtOW10TgCNCdDi3sdpjs1CIuAhXDdDuav7itLuwdMOCkFI16+EdF29Mwv7TaW4h
+sq01i5R9BO03zZIg6Z7ZZr4Dg+OM3fNzs65RSn/KcE0V/kYwa/So8MVw5/VIauYn
+MmnYmQKBgDEFWQPyPH242olRqtE0yDp8qVHEjJp7mU822YFbyCyAUnttqOS+/5/u
+Z7H95QZHGaQESL1tcNnaiRASJAKDWjKOdM/TTotWjCn65v+DHvgk/IJeYJVHoGBS
+pBE+wJ8AZJu3t9GVp3PxFxHIjxUrEKG0rli7bYv8F245+Wx8DeXI
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/moon/etc/ipsec.secrets b/testing/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..c90b4c4a3
--- /dev/null
+++ b/testing/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+
+
+
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/moon/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/moon/etc/runlevels/default/net.eth1
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/ssh_host_rsa_key.pub b/testing/hosts/ssh_host_rsa_key.pub
new file mode 100644
index 000000000..a5f71de4e
--- /dev/null
+++ b/testing/hosts/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsxKfTm05po6leGD8C+M0eAR5EE4s1pQXc0D/dVlqrmfZ65h5BFQY9lnwpCvapV6OVqKWx8ICmeIH3OhaPxPPNKlU81f3d0xgh8BRJpWh459DYkRVa5f7ax5eeFE1lelj9s1d0seUl/IZolpJ8Wmt9TN1hwJ0mrkwN4670rb3urc=
diff --git a/testing/hosts/sun/etc/conf.d/hostname b/testing/hosts/sun/etc/conf.d/hostname
new file mode 100644
index 000000000..bc042b68b
--- /dev/null
+++ b/testing/hosts/sun/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=sun
diff --git a/testing/hosts/sun/etc/conf.d/net b/testing/hosts/sun/etc/conf.d/net
new file mode 100644
index 000000000..0f8dc57b1
--- /dev/null
+++ b/testing/hosts/sun/etc/conf.d/net
@@ -0,0 +1,13 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_SUN broadcast 192.168.0.255 netmask 255.255.255.0"
+iface_eth1="PH_IP1_SUN broadcast 10.2.255.255 netmask 255.255.0.0"
+
+# For setting the default gateway
+#
+gateway="eth0/192.168.0.254"
+
+
diff --git a/testing/hosts/sun/etc/init.d/iptables b/testing/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..aeaf472fb
--- /dev/null
+++ b/testing/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,80 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+        # allow NAT-T 
+	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/sun/etc/init.d/net.eth0 b/testing/hosts/sun/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/sun/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/sun/etc/init.d/net.eth1 b/testing/hosts/sun/etc/init.d/net.eth1
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/sun/etc/init.d/net.eth1
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..4d0299a08
--- /dev/null
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn host-host
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn nat-t
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnetwithin=10.1.0.0/16
+	auto=add
diff --git a/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem
new file mode 100644
index 000000000..e7825e3db
--- /dev/null
+++ b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
+foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
+Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
+AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
+zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
+HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
+N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
+KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
+hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
+ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
+Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
+5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
+JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
+Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..de63615a6
--- /dev/null
+++ b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA5Dx+gH2HkFn3aADkmRBMk26gXoUDOir3UaHtOjbv+DvinTX5
+JSexJoF8+Y18anhq91ITDLZ1YwD/u6PQNt7wwQqyw3O2nQlC5unazufyautAsayo
+HpgBLT2XvlcONLfKpMIC0fWQPjMCX+P8DJ5AG4tHgLIkSYL+uoPf9r6mvjYJqWO4
+UGAFGkJNSlTiaWyVlJ7O/3C7rU/BMXFvxUOUEdR3+XCRdOEqBTe4SFZHEtqGlKV0
+QaaJNObHfST9ds4wXacc5sQe3kRj25ZEYZuPzVlFaI2TR021umd5Qe/8291Ytzn3
+UzxwQYRB1ZbZdNVsvYY3ruryF3MaAi9vtAk8xwIDAQABAoIBACOnh6OO+KSGSW4H
+5a47q5rEh2z8nnpxx90KzMJxXp+Ky2X/zoINZ1E6nUlm3u7LDPrB6ZPs1P24ZDrt
+5lMMFNQzVaXO59I0Zi0ojzQPbAFj6uFWtZTB7j0hCBmGBAQcSh3e6Q3frL7qvQ45
+0WAvQJiM84iZS63oNt7wRwaG1gmUn/k6j34y4qUkD5FfzGhFkekzDS54bRGwjhTA
+7XBUPAcsdNoIPcihokgLXwcdA8l6LBGsk48HN7O+CYOdh4xb6oQ4msgPED3pDIMo
+QRptqcPQ6y1qJaiM/D8SvdX2ZTFm/bh2jlGvcm5sWG8VdSDRqq9r0YCi4KlQzA1g
+OAyrMeECgYEA9dAVEegvRrFm4V6hC9CAwyS6fiOqx/l0xd354Xv4V6vR6n6rKwDF
+kv96A4sMH+mdNf6MwzFFCNW9zZV7noEIvAyPAc7jM7t/Hmt5M41DiDe0RJpWKEdQ
+lEj2qd8FqcY4YVDEH/TdchwIvoWHlD2sykW7eoseCY5mYEoQN4Ciwj8CgYEA7bHv
+qdaz2SoG9lyj8Mz7XthjYZLeaxKu7cpqP5bqzuRSkVFvib0WKoJfwsewzO5hCHnf
+8yMD3Wp4Ap2FYoN2XfV/jQyHvlpMlkxv+bU39/HLosdhzKbOJsru9kbBCaARHAVi
+av3O3JfV2/G+cwR6nPCNjcTsIcqtEpUO7kOfU3kCgYAKYNmy4tm0I2NTmpo0FH6L
+Pq69CqZ4QPkELaYSNhi7It7/BpAVhbfRyAWPxrwhUMy5beDlkNv4ToXv+yK4A3yp
+6+HR0rlXAtCQKTt5yLoUMz3iM531n2UwjZAUhf0IOP1CZpWRP9ZlrfdUi/C4eo4k
+ECOlPeBryN5brGTY4w58IwKBgQC0ukRF2I+qoP/mNg4Yu2KtfM4jlG4072G+P9eF
+PhSO9p+pCkhKbFD8RWDWUsslJmL09OXIkmkP4zIYmvieLOLFEjLHZi2YGER/SuMg
+9B74EQsKW5sK5hF9AXOsIaQI04Hu0lFAlHbC11euAiMShOdNiMG4d3ArSVVK+bb+
+hsAP0QKBgHcJuTJ6dv77evW3MFZPRjFH25pike40PWmSLgCt5PV25DRL2UG0pOut
+uybN9biQK5v377/3GD7eOL+acxHODjWmmfeEFW0YlJ1oUb/P8NlqsSnHvUoIqa24
+JmTXS/XzjgxQFFfzo0c1/1JLdG6r5CLTWxHq1EhIOJsowTlrCzX/
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/sun/etc/ipsec.secrets b/testing/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..1095b74cc
--- /dev/null
+++ b/testing/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.pem
+
+
+
+
+
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth0 b/testing/hosts/sun/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/sun/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth1 b/testing/hosts/sun/etc/runlevels/default/net.eth1
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/sun/etc/runlevels/default/net.eth1
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/venus/etc/conf.d/hostname b/testing/hosts/venus/etc/conf.d/hostname
new file mode 100644
index 000000000..c9e3dd1d4
--- /dev/null
+++ b/testing/hosts/venus/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=venus
diff --git a/testing/hosts/venus/etc/conf.d/net b/testing/hosts/venus/etc/conf.d/net
new file mode 100644
index 000000000..2c55c2c20
--- /dev/null
+++ b/testing/hosts/venus/etc/conf.d/net
@@ -0,0 +1,11 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_VENUS broadcast 10.1.255.255 netmask 255.255.0.0"
+
+# For setting the default gateway
+#
+gateway="eth0/PH_IP1_MOON"
+
diff --git a/testing/hosts/venus/etc/init.d/iptables b/testing/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..1097ac5a4
--- /dev/null
+++ b/testing/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,74 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow NAT-T 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/venus/etc/init.d/net.eth0 b/testing/hosts/venus/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/venus/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..35f264f82
--- /dev/null
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	left=%defaultroute
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem
new file mode 100644
index 000000000..25a6941b0
--- /dev/null
+++ b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
+LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy
+Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ
+thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON
+FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H
+wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/
+nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA
+FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
+ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
+ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
+LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
+DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN
+rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX
+PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B
+fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid
+hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh
+wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem
new file mode 100644
index 000000000..6c4aff0ad
--- /dev/null
+++ b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAmlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFC
+dhoDg6cxrsIvPAWyGs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3s
+DdvZFbyfmQTWSEyJthrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHO
+jpVNHn3BPUiL99ONFiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iO
+vRGtJa/MfOWX6L/HwquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjy
+Gxw1lORlDQlZy2w/nu0BAbXS1pb/2AiF8jDpbQIDAQABAoIBAFyVMMvn9YzGmeCq
+e5MD9Dt30kPyAffu/stFwc5yOTfC8OHijhBzwq/0WWXRsKx9bj+PaZjGWWIE6PVU
+u6ymvDdcBj7w6pM/ZY2siZ6uzUpXiy32G+qkfTMBGW2e7T4qTGMm8tuy69jmtn+u
+SxXunYaXckfOATu8GxWhoP1dvKMbCrlQxxmduP04au8HhpLTQgDZ28PrvyqUR6AW
+D+PDGACLbCFzmaMLgv6yv2+GNQpBEDr/VUjOOBvzZhUm9ku81dSdYNhHx8vbT/DG
+GkERG9tE2PA51sWB5cUh13ZItWmbW/NoWiykxJb7J7VkjXAn57jw4suSbNEQnA/E
+bg/5WwECgYEAyqEWS7cUCLheHuyWHOxkL7ACoko4wS8QO3Q4ohPlqZb7pca7FIqU
+WzXEUcyYZPkKTAKx/Vd0Xv6raGImi1QluuwLULACvZ7Ei5uLsMxUCJKyLX7wunTb
+64aH8jONNMAXX4K9eVj7EghBGjdnVc4HRAzm/QyH8F6hmXGT7Ulw3JECgYEAwvpU
+AkrUGb5UgVG/tNtlOlCqVGyvWOITDEsxLPCTlC6Ls6EIYKvc/21oRNL7n/ssfvS/
+DbyVTatiCXaF/MDbx0msbxJbq3sGTY16/XMb1PeTRdQm4xsUEQB1Fi3MnhLmPzV1
+jdKSKvKoxTfZKUg9eP/aVs4abRyHsIXc7BRznR0CgYBB86qBHGa969xerlyxr1Nw
+nhZNYmEUp8/duhdQ0a8XwtfHfmaX6f8drONoSHJ1swVh9iKetd9fp/58bC3lfY8G
+RxvruE48D7gjRI50Dh1v6OdrnXyXA8As6c3HzHWybK9u2+v12jtmBB/Ee7H7oKKG
+yLhKNtDsMLDic7BVNGkysQKBgHjzr0+oucCqiGOcoc8A1uABEFjE/1WlEOnsbzoQ
+l4wx/6nT+I13r+WoKimftEZ/GxA6pZZQ6VHAQlXad63eubf75QMWIVXUQIm1fZli
+Yd6QIoUL4X+62YzeesPib2+UC88kS6NKADCyTa3iQk3QqYm5Nenpew06yJXhxLWS
+zlGlAoGACEbPUlQB+ouInOFyVcFf1kHsMBcmg54MVi2J6x95149rq5FlY5kbmZcs
+6wlSBkAzzKb7WbPNgbGLMAYP+EXKODe+f1nzP+oojmJlCdTLfrudREFA2ZGGOKDX
+0o2EhnGL7VB4Upuw5ddMs7s1v6pqUKQXrZQUb24AX8w/1n+0PEM=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/venus/etc/ipsec.secrets b/testing/hosts/venus/etc/ipsec.secrets
new file mode 100644
index 000000000..11f3aa4ca
--- /dev/null
+++ b/testing/hosts/venus/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA venusKey.pem
+
+
+
+
+
diff --git a/testing/hosts/venus/etc/runlevels/default/net.eth0 b/testing/hosts/venus/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/venus/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
new file mode 100644
index 000000000..956c217d9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
+dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ
+F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa
+r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26
+sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk
+wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H
+AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm
+MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
+IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
+HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
+bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG
+6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw
+p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc
+yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln
+JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw
+4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
new file mode 100644
index 000000000..727027188
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqX
+uh16Ahe3S5vZF56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/
+u7BlyqpBUtLar14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRB
+K2gQGBUULo26sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqV
+jlKyqG7vdggkwW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3Mu
+OP3FNHIRMd2HAcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABAoIBACYiWrCgl8B/c4Lz
+Uay4Tlm8hvQ/zQJjY3v93EXwbB21hBV8qrYlt9zGfHqj+5q2vsbB9c0pzdO2VDba
+EWueS2fUIWhglEG5VCebrztNCldx2O7jo9bMk8iBt+oLNaJunSK7ACeYHHGcE7dF
+KZh1eyd7z4+SMBWZqmhO5ZisasQoHCusVGepcyyMGQNkc3XKJ6resGAsOqrOoq7Q
+C4vO5Kkbnk8nnEGmQ/ldD8LwIyq1hzVLDiiqWXZgh6S5l4BEo7Dy3KYrZoZfVcZK
+GMVhAI2+uA1ZqY9twpwryT6VZ3eK4DXF/COQntiBW5pLOpaqTOnKqiVmZFwfbo3u
+cq8n5jkCgYEA5zgzRLifbM0q34c2HX8pTegh+BH7MGCxtcoU2uRPaXiGkqQObHI9
+aItrgUQp+pAmKSBnEWJKgKsOh2Uf5ogjIeNuruGG/AXw/Pw2ORHNueenhDuhu69T
+E2I4yxT3PPYbdzJ4ylBElfgm9WTrv7Wi7wSSfgQ6rEFdWukXa5vvsqMCgYEA1K+q
+m1Jv9MGVIVc6MxhuOOj2Ym+qcWt/Pjvg78rR8SRsKwHlGTuv1rdWUSXYDr3f2Nf7
+6DdbJtaSx5f8gY/UG34yGZx5FFbYV03vcCYBaLXsi/b6H7vb/VW74Y5g6bXqnprv
+4mcdVU7xfyNFgdbLPAP9sYVLijPYDwm0Qq3cz/8CgYBKSJz4BBR8AQI4JBl3qoXb
+mKtpJmW76iTN0amXlWgJ64XYkMptftpJvxj/w6V08WDBL77NL/XdlpcpWozAJJac
+6ZOCrcQPLd15eZH2Dck5Y7pG2l2gjbgz7wdt/0NbG3pBdj6mSNlwEPR7PDwdMD6z
+aZWi1LsA4lMaxO4YTVXZ3wKBgQCoFhTNH/+e/YawjNFQJFSn4WUnMn0Pmhc7xfLl
+T/NPkqtx6dN3d7ZmCQrMow33yJOqOje5tFXzgc0KtNE4S8Uj3T4XA5SlQGVFyjAa
+/85JRM2naA8RGVSpCCKuBeoNilnb8zL2SOvjyboN8oAyNuDzk2vh6ihjFsoASHkP
+4XwLXQKBgQC0k6rzt/plIwEiP56XXOqwOxJj6kuE/hx1zGIiGT6lWiOsih20Ym2T
+kYegVFvuDIWmSIAxGONWyee1lfnJbEuaHRixWQTnHUpqrU0FSnZTubnR3q/faZat
+hrvLDdpa0ydAKoMEn3qUPSrh3CdBfi3KTQAQn2Mlk7bGHh9ICWi3vA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/conf.d/apache2 b/testing/hosts/winnetou/etc/conf.d/apache2
new file mode 100644
index 000000000..cfb80a7d9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/conf.d/apache2
@@ -0,0 +1,52 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/conf.d/apache2,v 1.2 2006/01/06 12:21:21 as Exp $
+
+# Config file for /etc/init.d/apache2
+
+# An example from /etc/apache2/conf/modules.d/40_mod_ssl.conf:
+#
+# <IfDefine SSL>
+#  <IfModule !mod_ssl.c>
+#    LoadModule ssl_module    extramodules/mod_ssl.so
+#  </IfModule>
+# </IfDefine>
+#
+# This means that the mod_ssl.so DSO module is only loaded
+# into the server when you pass "-D SSL" at startup.  To
+# enable WebDAV, add "-D DAV -D DAV_FS".  If you installed
+# mod_php then add "-D PHP4".  For more options, please
+# read the files in the /etc/apache2/conf/modules.d directory.
+
+APACHE2_OPTS="-D SSL -D DEFAULT_VHOST"
+
+# Extended options for advanced uses of Apache ONLY
+# You don't need to edit these unless you are doing crazy Apache stuff
+# As not having them set correctly, or feeding in an incorrect configuration
+# via them will result in Apache failing to start
+# YOU HAVE BEEN WARNED.
+
+# ServerRoot setting
+#SERVERROOT=/etc/apache2
+
+# Configuration file location
+# - If this does NOT start with a '/', then it is treated relative to
+# $SERVERROOT by Apache
+#CONFIGFILE=conf/apache2.conf
+
+# Location to log startup errors to
+# They are normally dumped to your terminal.
+#STARTUPERRORLOG="/var/log/apache2/startuperror.log"
+
+# PID file location
+# Note that this MUST match the setting in your configuration file!
+PIDFILE=/var/run/apache2.pid
+
+# Restart style
+# see http://httpd.apache.org/docs-2.0/stopping.html for more details
+# the default is 'graceful', the other possible value is 'restart'
+# If you use 'graceful', completion of the command does NOT imply that the system
+# has finished restarting. Restart is finished only when all child processes
+# have finished serving their current request sets. Read the URL for details.
+#RESTARTSTYLE="restart"
+RESTARTSTYLE="graceful"
diff --git a/testing/hosts/winnetou/etc/conf.d/hostname b/testing/hosts/winnetou/etc/conf.d/hostname
new file mode 100644
index 000000000..1bfa5acbd
--- /dev/null
+++ b/testing/hosts/winnetou/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=winnetou
diff --git a/testing/hosts/winnetou/etc/conf.d/net b/testing/hosts/winnetou/etc/conf.d/net
new file mode 100644
index 000000000..1a32153f3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/conf.d/net
@@ -0,0 +1,10 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_WINNETOU broadcast 192.168.0.255 netmask 255.255.255.0"
+
+# For setting the default gateway
+#
+gateway="eth0/192.168.0.254"
diff --git a/testing/hosts/winnetou/etc/conf.d/slapd b/testing/hosts/winnetou/etc/conf.d/slapd
new file mode 100644
index 000000000..8d9ac4787
--- /dev/null
+++ b/testing/hosts/winnetou/etc/conf.d/slapd
@@ -0,0 +1,8 @@
+# conf.d file for the openldap-2.1 series
+#
+# To enable both the standard unciphered server and the ssl encrypted
+# one uncomment this line or set any other server starting options
+# you may desire.
+#
+# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+OPTS="-4"
diff --git a/testing/hosts/winnetou/etc/hostname b/testing/hosts/winnetou/etc/hostname
new file mode 100644
index 000000000..6338c7c73
--- /dev/null
+++ b/testing/hosts/winnetou/etc/hostname
@@ -0,0 +1 @@
+winnetou
diff --git a/testing/hosts/winnetou/etc/init.d/apache2 b/testing/hosts/winnetou/etc/init.d/apache2
new file mode 100755
index 000000000..f54f3444a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/init.d/apache2
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="${opts} reload"
+
+[ "x${SERVERROOT}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
+[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
+[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
+# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow
+# instructiosn and update the conf.d/apache2 file.
+# (bug #38787)
+[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid
+[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful"
+
+checkconfig() {
+	local myconf="/etc/apache2/conf/apache2.conf"
+	if [ "x${CONFIGFILE}" != "x" ]; then
+		if [ ${CONFIGFILE:0:1} = "/" ]; then
+			myconf="${CONFIGFILE}"
+		else
+			myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}"
+		fi
+	fi
+	if [ ! -r "${myconf}" ]; then
+		eerror "Unable to read configuration file: ${myconf}"
+		return 1
+	fi
+    if [ -z "${PIDFILE}" ]; then
+        eerror "\$PIDFILE is not set!"
+        eerror "Did you etc-update /etc/conf.d/apache2?"
+        return 1
+    fi
+    if [ -z "${RESTARTSTYLE}" ]; then
+        eerror "\$RESTARTSTYLE is not set!"
+        eerror "Did you etc-update /etc/conf.d/apache2?"
+        return 1
+    fi
+	/usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		eerror "Apache2 has detected a syntax error in your configuration files:"
+		/usr/sbin/apache2 -t ${APACHE2_OPTS}
+	fi
+	return $ret
+}
+
+depend() {
+	need net
+	use mysql dns logger netmount postgres
+	after sshd
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Starting apache2"
+	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
+	[ -f /usr/lib/apache2/build/envvars ] && . /usr/lib/apache2/build/envvars
+	env -i PATH=$PATH /sbin/start-stop-daemon --quiet \
+		--start --startas /usr/sbin/apache2 \
+		--pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping apache2"
+	/usr/sbin/apache2ctl stop >/dev/null
+	start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE}
+	eend $?
+}
+
+reload() {
+	# restarting apache2 is much easier than apache1. The server handles most of the work for us. 
+	# see http://httpd.apache.org/docs-2.0/stopping.html for more details
+	ebegin "Restarting apache2"
+	/usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE}
+	eend $?
+}
diff --git a/testing/hosts/winnetou/etc/init.d/net.eth0 b/testing/hosts/winnetou/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/winnetou/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd
new file mode 100755
index 000000000..d4c070b33
--- /dev/null
+++ b/testing/hosts/winnetou/etc/init.d/slapd
@@ -0,0 +1,25 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $
+
+depend() {
+	need net
+}
+
+start() {
+	ebegin "Starting ldap-server"
+	eval start-stop-daemon --start --quiet --pidfile /var/run/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
+	eend $?
+	if [ ! -e /var/lib/openldap-data/objectClass.bdb ]
+	then
+		sleep 5
+		ldapadd -x -D "cn=Manager, o=Linux strongSwan, c=CH" -w tuxmux -f /etc/openldap/ldif.txt
+	fi
+}
+
+stop() {
+	ebegin "Stopping ldap-server"
+	start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/slapd.pid 
+	eend $?
+}
diff --git a/testing/hosts/winnetou/etc/openldap/ldif.txt b/testing/hosts/winnetou/etc/openldap/ldif.txt
new file mode 100644
index 000000000..3eca4d6c6
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openldap/ldif.txt
@@ -0,0 +1,40 @@
+dn: o=Linux strongSwan, c=CH
+objectclass: organization
+o: Linux strongSwan
+
+dn: cn=Manager,o=Linux strongSwan, c=CH
+objectclass: organizationalRole
+cn: Manager
+
+dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH
+objectClass: organizationalRole
+cn: strongSwan Root CA
+objectClass: certificationAuthority
+authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl
+certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl
+cACertificate;binary:< file:///etc/openssl/strongswanCert.der
+
+dn: ou=Research, o=Linux strongSwan, c=CH
+objectclass: organizationalUnit
+ou: Research
+
+dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH
+objectClass: organizationalRole
+cn: Research CA
+objectClass: certificationAuthority
+authorityRevocationList;binary:< file:///etc/openssl/research/research.crl
+certificateRevocationList;binary:< file:///etc/openssl/research/research.crl
+cACertificate;binary:< file:///etc/openssl/research/researchCert.der
+
+dn: ou=Sales, o=Linux strongSwan, c=CH
+objectclass: organizationalUnit
+ou: Sales 
+
+dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH
+objectClass: organizationalRole
+cn: Sales CA
+objectClass: certificationAuthority
+authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl
+certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl
+cACertificate;binary:< file:///etc/openssl/sales/salesCert.der
+
diff --git a/testing/hosts/winnetou/etc/openldap/slapd.conf b/testing/hosts/winnetou/etc/openldap/slapd.conf
new file mode 100644
index 000000000..4558ee2e2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openldap/slapd.conf
@@ -0,0 +1,68 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile		/var/run/openldap/slapd.pid
+argsfile	/var/run/openldap/slapd.args
+
+# Load dynamic backend modules:
+# modulepath	/usr/lib/openldap/openldap
+# moduleload	back_bdb.la
+# moduleload	back_ldap.la
+# moduleload	back_ldbm.la
+# moduleload	back_passwd.la
+# moduleload	back_shell.la
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	bdb
+checkpoint	32	30 # <kbyte> <min>
+suffix		"o=Linux strongSwan,c=CH"
+rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw		tuxmux	
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/var/lib/openldap-data
+# Indices to maintain
+index	objectClass	eq
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
new file mode 100755
index 000000000..5a8fd7782
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -0,0 +1,35 @@
+#! /bin/sh
+# generate a certificate revocation list (CRL) for the strongswan CA.
+#
+# Copyright (C) 2004  Andreas Steffen
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: generate-crl,v 1.2 2005/03/24 11:19:38 as Exp $
+
+export COMMON_NAME=strongSwan
+
+cd /etc/openssl
+openssl ca -config /etc/openssl/openssl.cnf -gencrl -out crl.pem
+openssl crl -in crl.pem -outform der -out strongswan.crl
+cp strongswan.crl     /var/www/localhost/htdocs/
+cp strongswanCert.pem /var/www/localhost/htdocs/
+cp index.html         /var/www/localhost/htdocs/
+cd /etc/openssl/research
+openssl ca -config /etc/openssl/research/openssl.cnf -gencrl -out crl.pem
+openssl crl -in crl.pem -outform der -out research.crl
+cp research.crl       /var/www/localhost/htdocs/
+cd /etc/openssl/sales
+openssl ca -config /etc/openssl/sales/openssl.cnf -gencrl -out crl.pem
+openssl crl -in crl.pem -outform der -out sales.crl
+cp sales.crl         /var/www/localhost/htdocs/
+
diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html
new file mode 100644
index 000000000..1641768ae
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/index.html
@@ -0,0 +1,36 @@
+<html>
+<head>
+  <title>strongSwan Web Services</title>
+  <base target="_self">
+</head>
+
+<body bgcolor="#FFFFFF">
+<table border=0 cellpadding=0 cellspacing=0 width=600>
+
+<tr><td>
+  <h2>strongSwan Certification Authority</h2>
+  <ul>
+    <li>
+      <a href="strongswanCert.pem">Root CA Certificate</a>
+    </li>
+  </ul>
+  <ul>
+    <li>
+      <a href="strongswan.crl">Certificate Revocation List (CRL)</a>
+    </li>
+  </ul>
+
+  <h2>strongSwan UML Testing Environment</h2>
+  <ul>
+    <li>
+      <a href="testresults/">UML Test Results</a>
+    </li>
+  </ul>
+  <a href="images/umlArchitecture_large.png" target="_blank">
+    <img src="images/umlArchitecture_small.png" border="0">
+  </a>
+  <hr>
+  <address>Linux strongSwan (<a href="http://www.strongswan.org">www.strongswan.org</a>)</address>
+</td></tr>
+</table>
+</body>
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
new file mode 100644
index 000000000..4db6c2924
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -0,0 +1,15 @@
+V	090909111334Z		01	unknown	/C=CH/O=Linux strongSwan/CN=mars.strongswan.org
+V	090909111553Z		02	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
+V	090909111725Z		03	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
+V	090909111826Z		04	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
+V	090909112439Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
+V	090909112534Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
+R	090909112548Z	041226135423Z	07	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	090909112651Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V	091118162928Z		09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+V	091231214318Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
+R	140321062536Z	050621195214Z	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	100607191714Z		0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.attr b/testing/hosts/winnetou/etc/openssl/index.txt.attr
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/index.txt.attr.old
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
new file mode 100644
index 000000000..669702b0c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -0,0 +1,14 @@
+V	090909111334Z		01	unknown	/C=CH/O=Linux strongSwan/CN=mars.strongswan.org
+V	090909111553Z		02	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
+V	090909111725Z		03	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
+V	090909111826Z		04	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
+V	090909112439Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
+V	090909112534Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
+R	090909112548Z	041226135423Z	07	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	090909112651Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V	091118162928Z		09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+V	091231214318Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
+R	140321062536Z	050621195214Z	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	100607191714Z		0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/newcerts/01.pem
new file mode 100644
index 000000000..bf4ba9375
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/01.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDTCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTMzNFoXDTA5MDkwOTExMTMzNFowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21hcnMu
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA
+zRlshdPlLggS7bpAlovamLpk9pxYUv3c8J4W0kV4knMPbSJywfctpce95iPZfU6V
+ICV0fVOn/0utJG+0lMTYwcf5zvyIDPDccfsTT3WI+/PcaUpU6E5aaPAZxDG4na6w
+UVUKiRcOyiuyXanulnu+b48nM7MgoMVZNDWY5q15enEZh1oO2Fy0DlKwweDKEuAi
+8xSnu2RcZBFSZMDBCRCt3QgHGZygrzjP3vN6IgbvHL+YWIycMi5yiJR5EoCE6D17
+AT1dh0C8R9m1a0LUK8cKiN+akZQlK/AHYOCu77fg1vz84dMDRIs2PCUs6Ww/fvqy
+N4r1BXg8XKTVH0zmqfQLAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDqDAdBgNVHQ4EFgQUbUWd4UeHwbTxn0Kr9io4nUGz6eAwbQYDVR0jBGYwZIAU
+XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
+ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
+AQAwHgYDVR0RBBcwFYITbWFycy5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g
+LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G
+CSqGSIb3DQEBBAUAA4IBAQBY0ab/r6K40Gni/db8apZGJqoO3XFPE4K7wi46LNZq
+gB3mQgazLkf48luj06rcfux+vC/2W3DyqAtKD5JRccL0A5yxY55p3rrCNvz76Y9H
+0AkVledhZTjd7SxdtsfxlRuok4nACwQii9GXcfs8qBc5QE8ZQRAtPwRxVx8hE19n
+D3AllTSukJSC6nPJHf+4FXz1Dxt3aFZOnkJM4qERBjFREYE4jGLaz71HNNKshsYy
+2UuwLAqsQk6zYogrJgpWLIuMVE2GHoth/rjpkzK/ErAwcV4OgMNdA1bHGl94soDy
+zryvlFj1zaqlvdKayWATnrAQQTQeeYz3i0wF95CNR22b
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/newcerts/02.pem
new file mode 100644
index 000000000..e7825e3db
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/02.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
+foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
+Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
+AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
+zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
+HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
+N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
+KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
+hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
+ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
+Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
+5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
+JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
+Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/newcerts/03.pem
new file mode 100644
index 000000000..d8fbfa1c9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/03.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
+ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F
+f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD
+v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+
+9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U
+esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX
+Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU
+XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
+ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
+AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g
+LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G
+CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec
+tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW
+EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h
+wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K
+iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW
+kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/newcerts/04.pem
new file mode 100644
index 000000000..25a6941b0
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/04.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
+LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy
+Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ
+thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON
+FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H
+wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/
+nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA
+FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
+ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
+ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
+LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
+DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN
+rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX
+PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B
+fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid
+hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh
+wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/newcerts/05.pem
new file mode 100644
index 000000000..e99ae8ec7
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/05.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
+GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
+FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
+6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
+v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
+KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
+60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
+2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
+AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
+D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
+CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
+6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
+JGhV
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/newcerts/06.pem
new file mode 100644
index 000000000..199d3eee2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/06.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY
+27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB
+fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg
+xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF
+ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E
+5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl
++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
+b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
+c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z
+TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq
+0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI
+5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN
+NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw
+7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE
+Mto=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/newcerts/07.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/07.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/newcerts/08.pem
new file mode 100644
index 000000000..abd1554e5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/08.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
+2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
+LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
+RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
+UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
+98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
+8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
+Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
+P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
+UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
+0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
+5qILUTmI
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/newcerts/09.pem
new file mode 100644
index 000000000..6ca9a58a4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/09.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
+U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC
+8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB
+pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w
+s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX
+BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g
++s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF
+AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
+iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
+d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
+b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
+MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
+Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0
+wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v
+SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79
+Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT
+Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF
+Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem
new file mode 100644
index 000000000..3c5c5d91d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
+cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI
+wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6
+dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC
+fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB
+CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf
+NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC
+AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6
+5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
+Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
+QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg
+CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR
+aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY
+ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw
+YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v
+Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov
+wTLSA/z7c8nVCVoZI9Y=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem
new file mode 100644
index 000000000..c380a5110
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
+LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
+6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
+T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
+9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
+cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
+YO2C4HE=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem
new file mode 100644
index 000000000..956c217d9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
+dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ
+F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa
+r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26
+sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk
+wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H
+AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm
+MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
+IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
+HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
+bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG
+6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw
+p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc
+yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln
+JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw
+4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
new file mode 100644
index 000000000..6ca9a58a4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
+U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC
+8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB
+pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w
+s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX
+BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g
++s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF
+AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
+iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
+d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
+b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
+MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
+Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0
+wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v
+SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79
+Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT
+Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF
+Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
new file mode 100644
index 000000000..aa04e24c6
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAqidMtMoReIhMoHfDO98DQvETufdAaog92d8ff+RklQoH5vmq
+OIXIOgqIDRonLuMm84D6B7dFfxJeA/CUZDPEAaYP0e1iOC9Z3UmRoEx3ENb1Ylxq
++D1LCIlEfxIFQkhbPPume9yeGyXjKJstux5/cLOJXh266ivO27QNkxE1d1JQmg1w
+ujRfN9tWR/g/vDhUGkNEqiq04SjFWEk3/kHaVwZSPb7XHtUskuiosuFi3VwLfJju
+8flI2lRMxTcoukl2/RQBlbzvTl4t/psZvXitoPrNZAOI6g7y9eyX7bySysxWeYqx
+Lk3tvsB3UG8LZTpFtSRQLBi+Dvq+DSKAbjAWRQIDAQABAoIBAC9SnMfPR0qhhcY/
+aMIXBT4x9E2NUZIPcDxPDOCx8bNtxcLcfxYXRxe1ZB9YvbsRm/yvS1qoAyETR6iK
+2YqAxyu6Nr4o6l879B9SXbkaayb40ehYUbvWuC6Ylr9MkL/dhdqRFr1uH17ni6T4
+e6CGG+WJWVQeqqSEKJT8H6Zea+NSQi9UOsVgKIMiXr52j3hj8LraH/4FoOPlgg3r
+mqrVcQlDYLtt+cufpFJLGzJhTylqlWCRWA6nwKFl8zZqGNaCswKkC3Ql47vlAmQT
+ETl4MMpVsmezC8OcursRmgPJzRudnGg6RLyfTff9b/wFmIujvJLYeN/ILRFvFGkq
+kiIWNIUCgYEA27y3N6lHJ8ommqquoyAVfQpc5Y1gFFXoE8VzkO1ts5B0N6r2DVvy
+DFUT3cSWdBOsF2MykTnyAC0dVXRXTCTEI2AqdmgITOzs3Ydr0XlOPmuM3dOO060F
+I9x4GsCpVcV/zWBZfJyUhNQqxpozrWNvHVgxrEc8pjD29iMLf+EsP2cCgYEAxjvP
+9uQjRxWv3/5ZVEOpBnecZe+ysg0CgK0zt+nogTAn7ET27FFeW8BjcR6g+r57n9cu
+X6EGdxuLexwoqvt3dO/rBF74knTe4ElDzEhcAoxnZPnJrJ6aST0KZ7lGoX5UW7wp
+eyW7HXKpd1THY40v7aHhaSr4362kMTFpPvxxrXMCgYAkDa2+Kz8qjyeQXwryZvQ/
+pPCjFXQ7QfEnNVGF6P8D5GK9M4bVoE1xqo/s5jGNcCDfYX5Nh8VmNADJIaKlMq8f
+4sp0zRL3lDQ1EOAm6ZFl+n2NdAXOQ2hBfw4RzaS7FwGmL/Xe1U4lES7HkUuDWnpD
+xVG5I6MW3ZfXwN5FKCv7ZwKBgByIVWmq8qzzoSnzeTYYuwZ0Ru2hL65TEw4kX/JT
+16RoowZt8sCXAabhLS8GApO0wSSDm2gmTEDulQf2SKA7q7kII2KwrMSfz8imovyP
+WbcAMI2nKnEPLxPllk7RqynpfgjqL2pLRwB5FY1YhY59ru1cRI6XodTIMH7oJsbr
+HQ2jAoGADHlVLAf9hQTYMrLCaO4mjOlJwRa19e1l47o4Lt1H+cGh96Jc4i7Hfkmv
+e/j/ZF4XqtjvmZIR2xevL2+/pPVuMYV0hEWyDQzoUgM6OXF4smSG3N+SrDTSmM8I
+XE9Ohc2JL3IKWN8SarsTUCrqle7UakmbYTUJqH9bJwGyvm3Ro1o=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
new file mode 100644
index 000000000..dbe31abbd
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -0,0 +1,182 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#
+# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl 
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/strongswanCert.pem # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+private_key     = $dir/strongswanKey.pem  # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 1825                    # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = md5                     # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+serialNumber		= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+#0.organizationalUnitName_default	= Research
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigner
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid, issuer:always
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof
diff --git a/testing/hosts/winnetou/etc/openssl/research/.rand b/testing/hosts/winnetou/etc/openssl/research/.rand
new file mode 100644
index 000000000..7479c2979
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/.rand
diff --git a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem
new file mode 100644
index 000000000..f2a6b5c22
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1
+ID41edDUgUjRdZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh
+8ZcR+TT8x0mOdYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+D
+Jl9XK9TtId5u57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yq
+GdPWODaN/Enw5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1a
+X7+M+IeYVwjIhzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4F
+jR8nhH4ApYMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQA9OKM8HKu5Fp/HRsdS
+3Z/tuLVjwijVq/OIge1PnoW7Ri2hnTpWeaWcU2wIexsxPJR6kYwqp9NfxM73uUUU
+e/ROCU+kZxSuzfV3SMMI8bsjufuldxKUXs1B8Nit1Qkhhj1/4uN6FRzQ5E9vz0Yf
+OuVVJxMIEgQRdBTcZ8Cuf23Mcq+sBa/2OXD/y6WTUNrXvjTjmGWv1LnryB6Ro8se
+ndI7bIiMZ/sSOrhOWrii/655bpUSYIb0RCzOnbdNAevbn/bLMEpj0qiDSam88Y/6
+FIY5sDCsdlpHsI2vkIrvPo4PUE+yzBhezmrLbVoiHjVoZhr1h091777Bomg/oUxv
+beEk
+-----END CERTIFICATE REQUEST-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
new file mode 100644
index 000000000..4bd650072
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -0,0 +1,2 @@
+V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.attr b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
new file mode 100644
index 000000000..148bab7d6
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -0,0 +1 @@
+V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem
new file mode 100644
index 000000000..90e207c4b
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx
+MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
+/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
+4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
+XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
+kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
+gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
+p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD
+ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO
+clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB
+b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI
+koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf
+Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA
+/szZoxwnE2iHtIoMAhfHZpRvOkg=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
new file mode 100644
index 000000000..b5afd3d2e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -0,0 +1,181 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#
+# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl/research
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/researchCert.pem   # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+private_key     = $dir/researchKey.pem    # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 1825                    # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = sha1                    # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+0.organizationalUnitName_default	= Research
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigner
+crlDistributionPoints          	= URI:http://crl.strongswan.org/research.crl
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+crlDistributionPoints          	= URI:http://crl.strongswan.org/research.crl
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid, issuer:always
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof
diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.der b/testing/hosts/winnetou/etc/openssl/research/researchCert.der
new file mode 100644
index 000000000..2a52f620d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.der
diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.pem b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/researchKey.pem b/testing/hosts/winnetou/etc/openssl/research/researchKey.pem
new file mode 100644
index 000000000..5e6f030f9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/researchKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAtjmyOqbgB1tYpz9PslqFanL3G109seeAE3qVuelhod+vGcay
++YMUIVkcJ3t6BGpD8C4kcdwS/cNR18lZYDKlWdS92VynnyEGOnF9M9c/0gMHHNBp
+DJTOwTEgZY5VRjZ7vEnkEoGddWSiTeG1jgevUZ2o2H7csSZt6AkGeBNFJHHg8onn
+gU79vvwtTMH6szGvPHD+WcjyMSYC0qW6BDtz1q4x4ULP42aVJ+dKhaEc3mqb7SI0
+rLQL7bki4Tw2r6LeO0GIjwHAGodje7Yi5+VSH01z139Hq8axE8wezfRfUdr+bRSD
+j3j7DCrB8QFlGPPEyYwX/VIbgjUTdMM4neyuOQIDAQABAoIBAA0xhjb66BOASJ3r
+VpDaPvijFEMV8CaWVU6TvI12WUxIDrx2B3VLSUTU19X/+aiiLQMRxC++OF3JK37N
+JDxzzkb/wTMgoz5BPNs0ZlU/i25gK76pVEHF8GZKcUcJFCF+Rl0umGXCnqzmOV4c
+LnH3Gnl1SclK/h2RY7m+FYrSElp+COHYBnW0agLIfRv/fF/1yApBP6jGegEFXp5z
+ZEwmmS2GbjVRq7ClqXfadQaPwRmGuueChq9S0DaY2z6/EAQJM/mHZYkeZGNTJqTk
+KWY0RmFZlCXRIxs+hG1agPZ/jdRwnxghPDcpnNZHKXLyoQhUa9oXn+RuUxPdK/s3
+9nB30xECgYEA6snKErKb04Sj6sB0/ONMK3OENVcbBYZlhyzymuSgpFY8FhhyDFIG
+H80eMGzlusvrBfV7OfJd17Mwuy0H3WBSGapbqXUa/vNc37VSGCiTObz/5RDhyU1N
+6zq5RZKPVDgnJ3VBTEr8Ito6b5iZWtyaRw0e4Xv1K0tdQPTLe2TaAEUCgYEAxrA6
+A94jBZWMwrXrUa7DCi0Y7BPh8hbZwHH1qEr8xNALnXGHSA5BbhjqLkYCWP5GlvrC
+G0TNrX1SMTv739wQL/GqvLTM1Jc/jrmPkLBymLNyweaKBXFt1qJDOdvtMwZdDo0y
+9hKXfyCDMURi3JhP/GLzA3bUruw28njZYgWI92UCgYBSKHyKoG+Ay7hkTCZj29Hq
+noiT9cAh5c6fR645X2mLOBXckX9PKmC0Ph2jSmf1PqgmNKmDNHl8IlsaFH7dC3iP
+PJrIqI7iyhwkuBlbFM+385gD+y1XOLLcbncojkmTafbhitlnrhGezIiIRnjbX7io
+xkGZG7xGAyBFu6N8sWTLlQKBgHdPN2c/KxSdWytJBofEQ8aGkiKhRdqTsiqHxBZN
+AUBGFdNzauLv/IZaW7VxwNMjzcu3xHuPc1qsmICMHpGsmePQYNB0WVOHh1jzQKyH
+6CieCVk6UMM3+9cZFPlXgTZUqeilDWcKfwKNyXn6MMt6gv1xhbAc2VY47j3oJ9Fe
+tYKpAoGAAWY1MTen71hatSFA7UGweuTqok5vhp0CPtGwCXLNHUcEhy1Fc640EO9i
+8i35fLA79haYWgpZ+GvrW9eYLPB8djidGSfzajc5C2CITHOrDQ6YQzKhwLjRHvB5
+gFQ8pdzFiXmSEvtfRwhoJvW19wdCZZx41VZ554ILOYrjtkntOB8=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
new file mode 100644
index 000000000..75016ea36
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -0,0 +1 @@
+03
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/sales/.rand b/testing/hosts/winnetou/etc/openssl/sales/.rand
new file mode 100644
index 000000000..dd489598f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/.rand
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
new file mode 100644
index 000000000..5093b34e9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -0,0 +1,2 @@
+V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
new file mode 100644
index 000000000..7378ebb8a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -0,0 +1 @@
+V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem
new file mode 100644
index 000000000..efb939e3a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
+CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
+rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
+BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
+4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
+m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
+/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
+x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB
+AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr
+Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup
+Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg
+pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL
+rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S
+uaJ2yDwEhOHn3ihb1bqlanM=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
new file mode 100644
index 000000000..adb204bc2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -0,0 +1,181 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#
+# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl/sales 
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/salesCert.pem      # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+private_key     = $dir/salesKey.pem       # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 1825                    # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = sha1                    # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+0.organizationalUnitName_default	= Sales
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigner
+crlDistributionPoints          	= URI:http://crl.strongswan.org/sales.crl
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+crlDistributionPoints          	= URI:http://crl.strongswan.org/sales.crl
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid, issuer:always
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof
diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.der b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der
new file mode 100644
index 000000000..529fd2d45
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der
diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem b/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem
new file mode 100644
index 000000000..96dab2928
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwk5NJpmMN7lRH6Eluh1wTjRYHFab6vQWIP4UtzZzSEf9Bxab
+Vd+qdz2po88ajE7YF/BeAUQd851DMca62GGy90w+SZY/Vne4OvCxyquYvKrgkjzt
+7FJ6fWCCYJUSJvnlPh83GtMgYlqh7omf2/1nAbYH5SvecUD/B1yRJ2onFzpcv0Mp
+xGTdPFm2/1K4N+0T0bvzs7o8lLJ/JRiGV3PURl7k9OxSgBsEnQMNcnHfnraQO19B
+3B7Nq3QsDI6xVptir/Qb98FnAst6vioYXb7cKy8/uM1eeFFh5K/b7iLaYCOBsFEj
+UDeKqhTc2rW88CrOt6Q4j9FX0et70vWvxfV0gQIDAQABAoIBACypguJUeP52Akea
+6ukUyzOupHIfFkezQ0LiJDDYuzbqFScD80CR4MT3z35vpFKL7O/TuEfiOGA+zasr
+WtdR3akqRUb02iot6pLhsHw9ZSY4wNXcW3PuoWkgPdelbD65QhA9bJUl4lO5MW97
+Atu2K28hQD9VDhRKNFSk2liM9d9IjGeO3Eg0FnN/gDiFRHN0A5vrjqnmkUWqeJzh
+561pomDuNxyGK1NkgZ+Cc75e+KJYwLX4sSzPiyMJhTt+ERLBb1ngcXpjcRn9Kjq+
+1QCsFbeuk1F034GnMEf5b1flu6vrmpWC3wnNQLRLuYommQ1O+uQtl9be2a+olCTd
+jD8aAuECgYEA5SnJtLNPQPTj6LzIE9EGZzp78OOzJaHDNfungGAAnv8xV55ap8g1
+3KORa+QKwpCa2MgV9UKtsuql1OjfslYjFARaOp24Qh7z+GFfzsWX4V7C4zlYbGfj
+Fe905/5sNeZnZwgiwKK0kQpZ/dyS1RI1koXphVBAb+sLh9gRdm3Qw/sCgYEA2Q+B
+Rv6WpymV09Vp7c3yHDWmVwLJCoFZoWgSuu6XPUF1MuH3omYN211M3lA526OiH1ce
+wqY1jtA5vSe0w7ZVMhBYkNG6GI/aKBdMzpCoBtWYW/QZ+fl6F36DkEKPBPloPxLP
+0hR9xCsBvU/6VlSlBPGNFmsX5eNNMeHY68WdhLMCgYBlNynByBjPJdqr5wWvyvi7
+C1fGs6tiiaoA49+9kal0kF4oxuZfiMxRYWVPc+9UtC3QZb9dDlBN39nSyfBTgjwI
+EUwQ66yAd89l+wwn9Zn5jrMhTSjC6Leh7puCBBujStqM5UkEMFj0XtAUkiHAPkSv
+LLpRiXqMdBIps8MyvZohlQKBgEPB7U8mJg0klBq+YgTT5yIbNUOwIOXgnwQdossr
+s5Zxmo45r73IMccqhtZXINiJahByd623iLx+D6gWfv0hK9Mm+x6p+Xe1YBpnu5g3
+29vWTWtW9czsrcoruhIMVOzuljYqPymLL/9OlYptLu5IGgNDDBHVeG5Q2EYcBEUF
+OTi1AoGBAND42O8VS8tGsoR7QLeEwxjT8hCvSXYoTWcCVzbKjsPdGBkX2LiKwEr1
+B5pOfvNfFEgSmRm4LU5R/pG7seFQzlaAZCAavv2NUfC9F+5hwx95VHKXjZF+yE4m
+J6e8kb0p2zcyCZCC/61kztGk7FqH9sb/6E+6CDMP+1QYxytrkYYR
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
new file mode 100644
index 000000000..75016ea36
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -0,0 +1 @@
+03
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
new file mode 100644
index 000000000..f599e28b8
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -0,0 +1 @@
+10
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
new file mode 100644
index 000000000..0ced2f35e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -0,0 +1 @@
+0F
diff --git a/testing/hosts/winnetou/etc/openssl/start-ocsp b/testing/hosts/winnetou/etc/openssl/start-ocsp
new file mode 100755
index 000000000..bdc5dab38
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/start-ocsp
@@ -0,0 +1,20 @@
+#! /bin/sh
+# start an OpenSSL-based OCSP server
+#
+# Copyright (C) 2004  Andreas Steffen
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $
+
+cd /etc/openssl
+openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey.pem -rsigner ocspCert.pem -nmin 5 < /dev/null > /dev/null 2>&1 &
diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.der b/testing/hosts/winnetou/etc/openssl/strongswanCert.der
new file mode 100644
index 000000000..c11cf21da
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.der
diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.pem b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/strongswanKey.pem b/testing/hosts/winnetou/etc/openssl/strongswanKey.pem
new file mode 100644
index 000000000..24de3a820
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/strongswanKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAv/JfYuo9Vm5Ys8h6ScrzrGHPqWN3c02ELbP4/W6gI/ewEy5m
+JlASMXOGcpxtfEJ6jZ8We+E46OuuKxK5WTO67zajFcPd8iTO5Lub1XgTXQRnOCYp
+Yh/5a41F9uAC5Qg2YtzhgYBcFAs/LOk/g67jyGHP9hCjnwGJyzo8fLm/fioJVE4h
+cO+qGP3U/yD6lL4XbX/s/4IfaNFxUgQdm0bwz8/B5M9D3l0/Olh3Y6/pJn9TsRaZ
+syZPxVxRifVoKHEWbLmDB5UFaWQfow/7UN4TT+0vlzzvGjkoJ4YrxN2ql7uwFELi
+k8QQcNByJNS+R64nU+sr7UvB2pHGjseAxGIPDwIDAQABAoIBAFaigsMWjpDQRWD/
+/5IG9Gy9yQjfSC7Wse4e6ScaI1WYmfROYPSx90QyrGBWkmQfbUk2oONRCGq41WfD
+j7zfSGRn+Lv+J9L/IhLDStbS14qITj5dmxga7mzI2udOvH+7cTC2GWJmGSlC2kTf
+EjfRXCY5X6/kWrWN8C+2HU7+V5wNfMqFhhMnG3VTgPBRWeQ8oTgYdZ4jYolOt9/t
+DhXtw/eEvfDb1Rg8BYB4wgm5PbOshh4L6nFEnemHDZltx1H5ZtAKTrds2ZYdGIM/
+3V1b7/a+aKltoA2ctsp/U6aTDHdql4VPop01MHZHZZ0bAAw9a2QirBvpjjwiDIgd
+4K0EpYECgYEA6JHP9kV3KDMbU+H5rbAcp/I81MrpZ79Pvx2zO+p6Nrieqpgxgy1U
+PjE2td3RAWiJflrz7p7Kez/Y01BWIzQXjZQ1oRTYYByVqW9O1SjyGb3TIgO4pXqb
+0yr2y+yl8c6tD7RUYVrlNhBsln8vxZ1BVssM8iFuOXdIQTN3m8HY/HECgYEA00jc
+Hd7isVsBpBRgFuAS5o+jNsAq50GA2uRo2r2/hWQSeeCgm+0553u7gd+kMrd3q37l
+1xp1qYrEaMrZmBvpb0kDkIL+aT8trE6dYiNpAOvPoSd0SADH1uFMIK9YVxtRT1W6
+BklQ1epYDd+W8Or5kxMCtgSW/1IUYGaKxdz/g38CgYEAymGIvN/6Lws6LqaopRJp
+/WP4t5vTvKpodQEdZXhH3bKOsBk8jNA3TN96ooxiQn17mG8BcpbP0KzgvBJewsej
+71oXyRLgr9JwEj+ANFIrS2c6gZEHb0jgrMPoe9B1H5UgWFguTYHRkFh+hgArzCVq
+JGMR4upghrVcNRDadrobXqECgYEAndKc6YsmFoj+TswRgsTaGXNN3YXqBlg9okRf
+tpVqTH+V9Yg/MHoheLJKPBcMFf5J28asdOME5SIM2KI9q4ud8Uy+5uGSnJdezIjk
+svv0YYXD0IMiLu62V+Ju9TNFb7uuHu7QSAXX5hJot+Q+YbODvcLDkacYC5wKMIAo
+ROhxzI0CgYAQlsrMUOJoVQ93pMBMxy4e2/m4vkchCvk9LIdnGlZt60ee6yDGasYq
+Qya5/bwekHXc6XRv+98EtBJ8My6rh6FWZutM3vUUtibWcNFVe/Fj6es+Tvv2M/DT
+fL6Ui9cY9l/CH0DyoDbOuI1ysF5+L7hxH6HoGERTazY6P8fHQgooaA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/runlevels/default/apache2 b/testing/hosts/winnetou/etc/runlevels/default/apache2
new file mode 100755
index 000000000..f54f3444a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/runlevels/default/apache2
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="${opts} reload"
+
+[ "x${SERVERROOT}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
+[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
+[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
+# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow
+# instructiosn and update the conf.d/apache2 file.
+# (bug #38787)
+[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid
+[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful"
+
+checkconfig() {
+	local myconf="/etc/apache2/conf/apache2.conf"
+	if [ "x${CONFIGFILE}" != "x" ]; then
+		if [ ${CONFIGFILE:0:1} = "/" ]; then
+			myconf="${CONFIGFILE}"
+		else
+			myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}"
+		fi
+	fi
+	if [ ! -r "${myconf}" ]; then
+		eerror "Unable to read configuration file: ${myconf}"
+		return 1
+	fi
+    if [ -z "${PIDFILE}" ]; then
+        eerror "\$PIDFILE is not set!"
+        eerror "Did you etc-update /etc/conf.d/apache2?"
+        return 1
+    fi
+    if [ -z "${RESTARTSTYLE}" ]; then
+        eerror "\$RESTARTSTYLE is not set!"
+        eerror "Did you etc-update /etc/conf.d/apache2?"
+        return 1
+    fi
+	/usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		eerror "Apache2 has detected a syntax error in your configuration files:"
+		/usr/sbin/apache2 -t ${APACHE2_OPTS}
+	fi
+	return $ret
+}
+
+depend() {
+	need net
+	use mysql dns logger netmount postgres
+	after sshd
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Starting apache2"
+	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
+	[ -f /usr/lib/apache2/build/envvars ] && . /usr/lib/apache2/build/envvars
+	env -i PATH=$PATH /sbin/start-stop-daemon --quiet \
+		--start --startas /usr/sbin/apache2 \
+		--pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping apache2"
+	/usr/sbin/apache2ctl stop >/dev/null
+	start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE}
+	eend $?
+}
+
+reload() {
+	# restarting apache2 is much easier than apache1. The server handles most of the work for us. 
+	# see http://httpd.apache.org/docs-2.0/stopping.html for more details
+	ebegin "Restarting apache2"
+	/usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE}
+	eend $?
+}
diff --git a/testing/hosts/winnetou/etc/runlevels/default/net.eth0 b/testing/hosts/winnetou/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/winnetou/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/images/a-m-c-w-d.png b/testing/images/a-m-c-w-d.png
new file mode 100755
index 000000000..f0d758021
--- /dev/null
+++ b/testing/images/a-m-c-w-d.png
diff --git a/testing/images/a-m-c-w.png b/testing/images/a-m-c-w.png
new file mode 100755
index 000000000..0e8ec3a74
--- /dev/null
+++ b/testing/images/a-m-c-w.png
diff --git a/testing/images/a-m-c.png b/testing/images/a-m-c.png
new file mode 100644
index 000000000..538929225
--- /dev/null
+++ b/testing/images/a-m-c.png
diff --git a/testing/images/a-m-w-s-b.png b/testing/images/a-m-w-s-b.png
new file mode 100755
index 000000000..e31fe5e9b
--- /dev/null
+++ b/testing/images/a-m-w-s-b.png
diff --git a/testing/images/a-v-m-c-w-d.png b/testing/images/a-v-m-c-w-d.png
new file mode 100755
index 000000000..1096af264
--- /dev/null
+++ b/testing/images/a-v-m-c-w-d.png
diff --git a/testing/images/a-v-m-w-s-b.png b/testing/images/a-v-m-w-s-b.png
new file mode 100755
index 000000000..53eafba3b
--- /dev/null
+++ b/testing/images/a-v-m-w-s-b.png
diff --git a/testing/images/m-c-w.png b/testing/images/m-c-w.png
new file mode 100755
index 000000000..066a8f8c6
--- /dev/null
+++ b/testing/images/m-c-w.png
diff --git a/testing/images/m-w-s.png b/testing/images/m-w-s.png
new file mode 100755
index 000000000..5f1aee2aa
--- /dev/null
+++ b/testing/images/m-w-s.png
diff --git a/testing/images/umlArchitecture_large.png b/testing/images/umlArchitecture_large.png
new file mode 100644
index 000000000..4588603e6
--- /dev/null
+++ b/testing/images/umlArchitecture_large.png
diff --git a/testing/images/umlArchitecture_small.png b/testing/images/umlArchitecture_small.png
new file mode 100644
index 000000000..2328f7554
--- /dev/null
+++ b/testing/images/umlArchitecture_small.png
diff --git a/testing/make-testing b/testing/make-testing
new file mode 100755
index 000000000..cf77a86d9
--- /dev/null
+++ b/testing/make-testing
@@ -0,0 +1,89 @@
+#!/bin/bash
+# Create the strongSwan UML testing environment
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: make-testing,v 1.4 2005/02/14 15:27:42 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/scripts/function.sh
+
+[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found."
+
+source $DIR/testing.conf
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+##########################################################################
+# build the UML kernel based on a vanilla kernel form kernel.org
+# and a matching UML patch from user-mode-linux.sourceforge.net
+#
+if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
+then
+   cecho "Building uml kernel (scripts/build-umlkernel)"
+   $DIR/scripts/build-umlkernel
+fi
+
+##########################################################################
+# Adding the ssh RSA public keys to ~/.ssh/known_hosts
+#
+if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
+then
+   cecho "Adding ssh public keys of the uml instances (scripts/build-sshkeys)"
+   $DIR/scripts/build-sshkeys
+fi
+
+##########################################################################
+# copy the default UML host configurations to $BUILDDIR
+# and assign actual IP addresses to the UML hosts
+#
+if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
+then
+   cecho "Building host configurations (scripts/build-hostconfig)"
+   $DIR/scripts/build-hostconfig
+fi
+
+##########################################################################
+# build a generic UML root file system based on a Gentoo root file system.
+# compile and install a specified strongSwan release into the file system.
+#
+if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
+then
+   cecho "Building uml root file system with strongSwan (scripts/build-umlrootfs)"
+   $DIR/scripts/build-umlrootfs
+fi
+
+##########################################################################
+# Creating the root filesystems for the specified UML instances
+#
+if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
+then
+   cecho "Building uml host root file systems (scripts/build-umlhostfs)"
+   $DIR/scripts/build-umlhostfs $HOSTS
+fi
+
+##########################################################################
+# Start up the UML switches and designated UML instances
+#
+if [ $ENABLE_START_TESTING = "yes" ]
+then
+   cecho "Starting the uml switches and instances (start-testing)"
+   $DIR/start-testing $HOSTS
+fi
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
new file mode 100755
index 000000000..0df8861c8
--- /dev/null
+++ b/testing/scripts/build-hostconfig
@@ -0,0 +1,103 @@
+#!/bin/bash
+# build the hosts configuration directory with the actual IP addresses
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: build-hostconfig,v 1.3 2005/02/08 10:40:48 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
+[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
+
+source $DIR/../testing.conf
+
+if [ ! -d $BUILDDIR ]
+then
+    cecho " * Creating directory '$BUILDDIR'"
+    mkdir $BUILDDIR
+fi
+
+########################################
+# copy default host configs to $BUILDDIR
+#
+
+HOSTCONFIGDIR=${BUILDDIR}/hosts
+
+if [ -d $HOSTCONFIGDIR ]
+then
+    rm -r $HOSTCONFIGDIR
+fi
+
+mkdir $HOSTCONFIGDIR
+cp -rfp ${UMLTESTDIR}/testing/hosts $BUILDDIR
+
+cecho " * Copied default host config directory to '$HOSTCONFIGDIR'"
+
+########################################
+# assign IP for each host to hostname
+#
+
+cecho-n " * Generate default config for.."
+
+HOSTIP=`ifconfig eth0 |grep inet |sed -e "s/.*inet addr://" -e "s/  Bcast.*//"`
+
+for host in $STRONGSWANHOSTS
+do
+    cecho-n "${host}.."
+    eval ip_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`"
+
+    [ "`eval echo \\\$ip_${host}`" != "$HOSTIP" ] || die "$host has the same IP as eth0 (Host)! Please change that."
+
+    case $host in
+    moon)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        [ "`eval echo \\\$ip1_${host}`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
+        searchandreplace PH_IP_MOON $ip_moon $HOSTCONFIGDIR
+        searchandreplace PH_IP1_MOON $ip1_moon $HOSTCONFIGDIR
+        ;;
+    sun)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        [ "`eval echo \\\$ip1_${host}`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
+        searchandreplace PH_IP_SUN $ip_sun $HOSTCONFIGDIR
+        searchandreplace PH_IP1_SUN $ip1_sun $HOSTCONFIGDIR
+        ;;
+    alice)
+        searchandreplace PH_IP_ALICE $ip_alice $HOSTCONFIGDIR
+        ;;
+    venus)
+        searchandreplace PH_IP_VENUS $ip_venus $HOSTCONFIGDIR
+        ;;
+    bob)
+        searchandreplace PH_IP_BOB $ip_bob $HOSTCONFIGDIR
+        ;;
+    carol)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_CAROL $ip_carol $HOSTCONFIGDIR
+        searchandreplace PH_IP1_CAROL $ip1_carol $HOSTCONFIGDIR
+        ;;
+    dave)
+        eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_DAVE $ip_dave $HOSTCONFIGDIR
+        searchandreplace PH_IP1_DAVE $ip1_dave $HOSTCONFIGDIR
+        ;;
+    winnetou)
+        searchandreplace PH_IP_WINNETOU $ip_winnetou $HOSTCONFIGDIR
+        ;;
+    esac
+done
+
+cecho "done"
diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys
new file mode 100755
index 000000000..f4d584d6b
--- /dev/null
+++ b/testing/scripts/build-sshkeys
@@ -0,0 +1,88 @@
+#!/bin/bash
+# build the hosts configuration directory with the actual IP addresses
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: build-sshkeys,v 1.2 2005/02/15 14:12:16 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
+[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
+
+source $DIR/../testing.conf
+
+if [ ! -d $BUILDDIR ]
+then
+    cecho " * Creating directory '$BUILDDIR'"
+    mkdir $BUILDDIR
+fi
+
+LOGFILE=${BUILDDIR}/testing.log
+
+if [ ! -f $LOGFILE ]
+then
+    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
+    touch $LOGFILE
+    cecho "done"
+fi
+
+if [ ! -d ~/.ssh ]
+then
+    cecho-n " * Creating directory '~/.ssh'.."
+    mkdir ~/.ssh
+    cecho "done"
+fi
+
+if [ -f ~/.ssh/known_hosts ]
+then
+    cecho-n " * Backing up ~/.ssh/known_hosts to '~/.ssh/known_hosts.before_uml'.."
+    cp -fp ~/.ssh/known_hosts ~/.ssh/known_hosts.before_uml
+    cecho "done"
+else
+    cecho-n " * Creating '~/.ssh/known_hosts'"
+    touch ~/.ssh/known_hosts
+    cecho "done"
+fi
+
+for host in $HOSTNAMEIPS
+do
+    HOSTNAME=`echo $host | awk -F : '{ print $1 }'`
+    IP=`echo $host | awk -F : '{ print $2 }'`
+    if [ `grep "$IP " ~/.ssh/known_hosts | wc -l` != "0" ]
+    then
+        cecho "!! Warning: An entry exists for the following IP address: $IP"
+    else
+	cecho-n " * Adding uml host $HOSTNAME ($IP) to '~/.ssh/known_hosts'.."
+	echo "$HOSTNAME,$IP `cat $DIR/../hosts/ssh_host_rsa_key.pub`" >> ~/.ssh/known_hosts
+	cecho "done"
+    fi
+done
+
+#####################################
+# preparing ssh for PK authentication
+#
+
+cecho-n " * Checking for ssh rsa key '~/.ssh/id_rsa.pub'.."
+if [ -f ~/.ssh/id_rsa.pub ]
+then
+    cecho "already exists"
+else
+    cecho "not found"
+    cecho-n " * Generating ssh rsa key pair.."
+    echo "" | ssh-keygen -N "" -t rsa -f ~/.ssh/id_rsa >> $LOGFILE 2>&1
+    cecho "done"
+fi
diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs
new file mode 100755
index 000000000..e77bfc025
--- /dev/null
+++ b/testing/scripts/build-umlhostfs
@@ -0,0 +1,78 @@
+#!/bin/bash
+# create UML host file systems
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: build-umlhostfs,v 1.3 2006/03/30 21:20:27 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found."
+
+source $DIR/../testing.conf
+
+cd $BUILDDIR/root-fs
+
+[ -f gentoo-fs ] || die "!! Root file system 'gentoo-fs' not found."
+
+if [ ! -d $BUILDDIR ]
+then
+    cecho-n " * Directory '$BUILDDIR' does not exist..creating.."
+    mkdir $BUILDDIR
+    cecho "done"
+fi
+
+LOGFILE=${BUILDDIR}/testing.log
+
+if [ ! -f $LOGFILE ]
+then
+    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
+    touch $LOGFILE
+    cecho "done"
+fi
+
+LOOPDIR=loop
+
+if [ ! -d $LOOPDIR ]
+then
+    mkdir $LOOPDIR
+fi
+
+cecho-n " * Creating root filesystem for.."
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+for host in $HOSTS
+do
+    cecho-n "$host.."
+    cp gentoo-fs gentoo-fs-$host
+    mount -o loop gentoo-fs-$host $LOOPDIR
+    cp -rfp $BUILDDIR/hosts/${host}/etc $LOOPDIR
+    if [ "$host" = "winnetou" ]
+    then
+	cp -rfp $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs
+        chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1
+    fi
+    chroot $LOOPDIR /etc/init.d/depscan.sh --update >> $LOGFILE 2>&1
+    umount $LOOPDIR
+done
+
+cecho "done"
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
new file mode 100755
index 000000000..074d7847a
--- /dev/null
+++ b/testing/scripts/build-umlkernel
@@ -0,0 +1,134 @@
+#!/bin/bash
+# build an UML kernel based on a vanilla kernel and UML patch
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: build-umlkernel,v 1.2 2005/01/09 21:54:25 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+cecho-n " * Looking for kernel at '$KERNEL'.."
+if [ -f "${KERNEL}" ]
+then
+    cecho "found it"
+    KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
+    cecho " * Kernel version is $KERNELVERSION"
+else
+    cecho "none"
+    exit
+fi
+
+if [ ${UMLPATCH} ]
+then
+    cecho-n " * Looking for uml patch at '$UMLPATCH'.."
+    if [ -f "${UMLPATCH}" ]
+    then
+	cecho "found it"
+    else
+	cecho "none"
+	exit
+    fi
+fi
+
+cecho-n " * Looking for kernel config at '$KERNELCONFIG'.."
+if [ -f "${KERNEL}" ]
+then
+    cecho "found it"
+else
+    cecho "none"
+    exit
+fi
+
+#######################################################
+# unpack kernel and create symlink
+#
+
+if [ ! -d $BUILDDIR ]
+then
+    cecho " * Creating directory '$BUILDDIR'"
+    mkdir $BUILDDIR
+fi
+
+cecho " * Changing to directory '$BUILDDIR'"
+cd $BUILDDIR
+
+LOGFILE=${BUILDDIR}/testing.log
+
+if [ ! -f $LOGFILE ]
+then
+    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
+    touch $LOGFILE
+    cecho "done"
+fi
+
+cecho-n " * Unpacking kernel.."
+tar xjf $KERNEL >> $LOGFILE 2>&1
+cecho "done"
+
+KERNELDIR=${BUILDDIR}/linux-${KERNELVERSION}
+
+if [ -d $KERNELDIR ]
+then
+    cecho " * Kernel directory is '$KERNELDIR'"
+    cecho " * Creating symlink 'linux'"
+    if [ -d linux ]
+    then
+	rm linux
+    fi
+    ln -s linux-${KERNELVERSION} linux
+else
+    cecho "!! Kernel directory '$KERNELDIR' can not be found"
+    exit
+fi
+
+#######################################################
+# patch kernel
+#
+
+cecho " * Changing to directory '$KERNELDIR'"
+cd $KERNELDIR
+
+if [ $UMLPATCH ]
+then
+    cecho-n " * Applying uml patch.."
+    bzcat $UMLPATCH | patch -p1 >> $LOGFILE 2>&1
+    cecho  "done"
+fi
+
+#######################################################
+# copy our default .config to linux and build kernel
+#
+
+cp $KERNELCONFIG .config
+
+cecho "!!"
+cecho "!! Making .config for kernel. You might be prompted for new parameters!"
+cecho "!!"
+make oldconfig ARCH=um >> $LOGFILE 2>&1
+
+cecho-n " * Now compiling uml kernel.."
+make linux ARCH=um  >> $LOGFILE 2>&1
+cecho "done"
+
+cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.."
+mv linux ${BUILDDIR}/linux-uml-${KERNELVERSION}
+cecho "done"
+
+
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
new file mode 100755
index 000000000..ba103838f
--- /dev/null
+++ b/testing/scripts/build-umlrootfs
@@ -0,0 +1,174 @@
+#!/bin/bash
+# Create UML root filesystem
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: build-umlrootfs,v 1.11 2006/01/08 22:29:56 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+STRONGSWANVERSION=`basename $STRONGSWAN .tar.bz2`
+
+cecho-n " * Looking for strongSwan at '$STRONGSWAN'.."
+if [ -f "$STRONGSWAN" ]
+then
+    cecho "found it"
+    cecho " * strongSwan version is '$STRONGSWANVERSION'"
+else
+    cecho "none"
+    exit
+fi
+
+cecho-n " * Looking for gentoo root filesystem at '$ROOTFS'.."
+if [ -f "$ROOTFS" ]
+then
+    cecho "found it"
+else
+    cecho "none"
+    exit
+fi
+
+[ -d $BUILDDIR ] || die "!! Directory '$BUILDDIR' does not exist"
+
+HOSTCONFIGDIR=$BUILDDIR/hosts
+
+[ -d $HOSTCONFIGDIR ] || die "!! Directory '$HOSTCONFIGDIR' does not exist"
+
+LOGFILE=$BUILDDIR/testing.log
+
+if [ ! -f $LOGFILE ]
+then
+    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
+    touch $LOGFILE
+    cecho "done"
+fi
+
+ROOTFSDIR=$BUILDDIR/root-fs
+
+if [ ! -d $ROOTFSDIR ]
+then
+    cecho-n " * Root file system directory '$ROOTFSDIR' does not exist..creating.."
+    mkdir $ROOTFSDIR
+    cecho "done"
+fi
+
+cd $ROOTFSDIR
+
+LOOPDIR=$ROOTFSDIR/loop
+
+if [ ! -d $LOOPDIR ]
+then
+    mkdir $LOOPDIR
+fi
+
+######################################################
+# creating reiser-based uml root filesystem
+#
+
+cecho-n " * Building basic root filesystem (gentoo).."
+dd if=/dev/zero of=gentoo-fs count=$ROOTFSSIZE bs=1M >> $LOGFILE 2>&1
+mkreiserfs -q -f gentoo-fs       >> $LOGFILE 2>&1
+mount -o loop gentoo-fs $LOOPDIR >> $LOGFILE 2>&1
+tar xjpf $ROOTFS -C $LOOPDIR     >> $LOGFILE 2>&1
+cecho "done"
+
+
+######################################################
+# copying default /etc/hosts to the root filesystem
+#
+cecho " * Copying '$HOSTCONFIGDIR/default/etc/hosts' to the root filesystem"
+cp -fp $HOSTCONFIGDIR/default/etc/hosts $LOOPDIR/etc/hosts
+
+#
+#####################################################
+# extracting strongSwan into the root filesystem
+#
+
+cecho " * Extracting strongSwan into the root filesystem"
+tar xjf $STRONGSWAN -C $LOOPDIR/root >> $LOGFILE 2>&1
+
+
+######################################################
+# installing strongSwan and setting the local timezone
+#
+
+INSTALLSHELL=${LOOPDIR}/install.sh
+
+cecho " * Preparing strongSwan installation script"
+echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
+
+if [ "$USE_LIBCURL" = "yes" ]
+then
+    echo "export USE_LIBCURL=true" >> $INSTALLSHELL
+fi
+
+if [ "$USE_LDAP" = "yes" ]
+then
+    echo "export USE_LDAP=true" >> $INSTALLSHELL
+fi
+
+echo "export USERCOMPILE=\'-DRANDOM_DEVICE=\\\"/dev/urandom\\\"\'" >> $INSTALLSHELL
+echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
+echo "make programs" >> $INSTALLSHELL
+echo "make install" >> $INSTALLSHELL
+
+cecho-n " * Compiling $STRONGSWANVERSION within the root file system as chroot.."
+chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1
+cecho "done"
+
+rm -f $INSTALLSHELL
+
+
+######################################################
+# copying the host's ssh public key
+#
+
+if [ ! -d $LOOPDIR/root/.ssh ]
+then
+    mkdir $LOOPDIR/root/.ssh
+fi
+cp ~/.ssh/id_rsa.pub $LOOPDIR/root/.ssh/authorized_keys
+
+######################################################
+# setup public key based login among all hosts
+#
+cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa
+
+for host in $STRONGSWANHOSTS
+do
+    eval ip="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`"
+    echo "$host,$ip `cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts
+    echo "`cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys
+done
+
+######################################################
+# defining an empty modules.dep
+#
+
+if [ $UMLPATCH ]
+then
+    mkdir $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um
+    touch $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um/modules.dep
+else
+    mkdir $LOOPDIR/lib/modules/$KERNELVERSION
+    touch $LOOPDIR/lib/modules/$KERNELVERSION/modules.dep
+fi
+
+umount $LOOPDIR
diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh
new file mode 100755
index 000000000..22a79698d
--- /dev/null
+++ b/testing/scripts/function.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+# provides some general-purpose script functions
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: function.sh,v 1.3 2005/02/16 22:20:52 as Exp $
+
+
+############################################
+# print output in color
+#
+
+function cecho {
+    echo -e "\033\13301;31m$1\033\1330m"
+}
+
+function cecho-n {
+    echo -en "\033\13301;31m$1\033\1330m"
+}
+
+
+#############################################
+# output all args to stderr and exit with
+# return code 1
+#
+
+die() {
+    echo $* 1>&2
+    exit 1
+}
+
+#############################################
+# search and replace strings throughout a
+# whole directory
+#
+
+function searchandreplace {
+
+    SEARCHSTRING="$1"
+    REPLACESTRING="$2"
+    DESTDIR="$3"
+
+    [ -d "$DESTDIR" ] || die "$DESTDIR is not a directory!"
+
+
+    #########################
+    # create a temporary file
+    #
+
+    TMPFILE="/tmp/sr.$$"
+
+
+    ###########################################
+    # search and replace in each found file the
+    # given string
+    #
+
+    for eachfoundfile in `find $DESTDIR -type f`
+    do
+        sed -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile" > "$TMPFILE"
+        cp -f "$TMPFILE" "$eachfoundfile"
+    done
+
+
+    ###########################
+    # delete the temporary file
+    #
+
+    rm -f "$TMPFILE"
+
+}
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
new file mode 100755
index 000000000..a533fb728
--- /dev/null
+++ b/testing/scripts/kstart-umls
@@ -0,0 +1,113 @@
+#!/bin/bash
+# starts the UML instances in a konsole (requires KDE)
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: kstart-umls,v 1.6 2005/08/30 22:13:12 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+BOOTING_HOSTS=""
+count_max=12
+count=0
+
+for host in $HOSTS
+do
+    up=0
+
+    if [ -d ~/.uml/${host} ]
+    then
+	pid=`cat ~/.uml/${host}/pid`
+	up=`ps up $pid | wc -l`
+    fi
+
+    if [ $up -eq 2 ]
+    then
+	cecho " * Great, ${host} is already running!"
+    else
+	rm -rf ~/.uml/${host}
+	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
+	let "count_max += 12"
+
+	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
+	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
+
+	cecho-n " * Starting ${host}.."
+	eval konsole -title ${host} -e "$UMLKERNEL \
+	    umid=${host} \
+	    ubda=$UMLHOSTFS \
+	    \$SWITCH_${host} \
+	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
+        cecho "done"
+    fi
+done
+
+if [ -z "$BOOTING_HOSTS" ]
+then
+    exit 0
+fi
+
+cecho " * Waiting for the uml instances to finish booting"
+
+for host in $BOOTING_HOSTS
+do
+    cecho-n " * Checking on $host.."
+
+    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
+    do
+	cecho-n "."
+	sleep 5
+	let "count+=1"
+    done
+
+    if [ $count -ge $count_max ]
+    then
+	cecho "exit"
+	exit 1
+    fi
+
+    pid=`cat ~/.uml/$host/pid`
+    up=`ps up $pid | grep agetty | wc -l`
+
+    while [ $count -lt $count_max ] && [ $up -eq 0 ]
+    do
+	cecho-n "."
+	sleep 5
+	up=`ps up $pid | grep agetty | wc -l`
+	let "count+=1"
+    done
+
+    if [ $count -ge $count_max ]
+    then
+	cecho "exit"
+	exit 1
+    else
+	cecho "up"
+    fi
+done
+
+cecho " * All uml instances are up now"
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
new file mode 100755
index 000000000..89da17e72
--- /dev/null
+++ b/testing/scripts/load-testconfig
@@ -0,0 +1,64 @@
+#!/bin/bash
+# Load test specific host configurations
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: load-testconfig,v 1.2 2004/12/13 21:02:42 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+##########################################################################
+# load-testconfig requires a testname as an argument
+#
+
+testname=$1
+
+TESTSDIR=$BUILDDIR/tests
+
+[ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found"
+[ -d $TESTSDIR/$testname ] || die "Test '$testname' not found"
+[ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
+
+source $TESTSDIR/$testname/test.conf
+
+##########################################################################
+# copy test specific configurations to uml hosts
+#
+
+if [ -d $TESTSDIR/$testname/hosts ]
+then
+    for host in `ls $TESTSDIR/$testname/hosts`
+    do
+	eval HOSTLOGIN="root@`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`"
+	scp -rp $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
+    done
+fi
+
+
+##########################################################################
+# clear the auth.log where IKE messages are logged
+#
+
+for host in $IPSECHOSTS
+do
+    eval HOSTLOGIN="root@`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`"
+    ssh $HOSTLOGIN 'rm -f /var/log/auth.log; \
+		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+done
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
new file mode 100755
index 000000000..129e46f56
--- /dev/null
+++ b/testing/scripts/restore-defaults
@@ -0,0 +1,53 @@
+#!/bin/bash
+# Restore the default host configurations
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: restore-defaults,v 1.2 2004/12/20 07:56:33 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+##########################################################################
+# load-testconfig requires a testname as an argument
+#
+
+testname=$1
+
+HOSTCONFIGDIR=$BUILDDIR/hosts
+TESTSDIR=$BUILDDIR/tests
+
+[ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found"
+[ -d $TESTSDIR/$testname ] || die "Test '$testname' not found"
+[ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
+
+source $TESTSDIR/$testname/test.conf
+
+##########################################################################
+# copy default host config back if necessary
+#
+
+if [ -d $TESTSDIR/${testname}/hosts ]
+then
+    for host in `ls $TESTSDIR/${testname}/hosts`
+    do
+	eval HOSTLOGIN="root@`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`"
+	scp -rp $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
+    done
+fi
diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches
new file mode 100755
index 000000000..c90c9f86d
--- /dev/null
+++ b/testing/scripts/start-switches
@@ -0,0 +1,39 @@
+#!/bin/bash
+# starts the UML switches
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: start-switches,v 1.2 2004/12/19 19:17:25 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+for n in 0 1 2
+do
+    if [ `ps aux | grep uml_switch | grep umlswitch$n | wc -l` -eq 1 ]
+    then
+	cecho " * Great, umlswitch$n is already running!"
+    else
+	cecho-n " * Starting umlswitch$n.."
+	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
+	sleep 2
+	eval ifconfig "tap$n \$IFCONFIG_$n up"
+	cecho "done"
+    fi
+done
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
new file mode 100755
index 000000000..f51791dfa
--- /dev/null
+++ b/testing/scripts/start-umls
@@ -0,0 +1,113 @@
+#!/bin/bash
+# starts the UML instances with a hidden screen
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: start-umls,v 1.5 2005/08/30 22:13:12 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+BOOTING_HOSTS=""
+count_max=12
+count=0
+
+for host in $HOSTS
+do
+    up=0
+
+    if [ -d ~/.uml/${host} ]
+    then
+	pid=`cat ~/.uml/${host}/pid`
+	up=`ps up $pid | wc -l`
+    fi
+    
+    if [ $up -eq 2 ]
+    then
+	cecho " * Great, ${host} is already running!"
+    else
+	rm -rf ~/.uml/${host}
+	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
+	let "count_max += 12"
+
+	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
+	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
+
+	cecho-n " * Starting ${host}.."
+	eval screen -dmS ${host} "$UMLKERNEL \
+	    umid=${host} \
+	    ubda=$UMLHOSTFS \
+	    \$SWITCH_${host} \
+	    mem=${MEM}M con=pty con0=fd:0,fd:1"
+        cecho "done"
+    fi
+done
+
+if [ -z "$BOOTING_HOSTS" ]
+then
+    exit 0
+fi
+
+cecho " * Waiting for the uml instances to finish booting"
+
+for host in $BOOTING_HOSTS
+do
+    cecho-n " * Checking on $host.."
+
+    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
+    do
+	cecho-n "."
+	sleep 5
+	let "count+=1"
+    done
+
+    if [ $count -ge $count_max ]
+    then
+	cecho "exit"
+	exit 1
+    fi
+
+    pid=`cat ~/.uml/$host/pid`
+    up=`ps up $pid | grep agetty | wc -l`
+
+    while [ $count -lt $count_max ] && [ $up -eq 0 ]
+    do
+	cecho-n "."
+	sleep 5
+	up=`ps up $pid | grep agetty | wc -l`
+	let "count+=1"
+    done
+
+    if [ $count -ge $count_max ]
+    then
+	cecho "exit"
+	exit 1
+    else
+	cecho "up"
+    fi
+done
+
+cecho " * All uml instances are up now"
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
new file mode 100755
index 000000000..13c5d10a1
--- /dev/null
+++ b/testing/scripts/xstart-umls
@@ -0,0 +1,113 @@
+#!/bin/bash
+# starts the UML instances in an xterm (requires X11R6)
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: xstart-umls,v 1.6 2005/08/30 22:13:12 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+BOOTING_HOSTS=""
+count_max=12
+count=0
+
+for host in $HOSTS
+do
+    up=0
+
+    if [ -d ~/.uml/${host} ]
+    then
+	pid=`cat ~/.uml/${host}/pid`
+	up=`ps up $pid | wc -l`
+    fi
+    
+    if [ $up -eq 2 ]
+    then
+	cecho " * Great, ${host} is already running!"
+    else
+	rm -rf ~/.uml/${host}
+	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
+	let "count_max += 12"
+
+	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
+	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
+
+	cecho-n " * Starting ${host}.."
+	eval xterm -title ${host} -rightbar -sb -sl 500 -e "$UMLKERNEL \
+	    umid=${host} \
+	    ubda=$UMLHOSTFS \
+	    \$SWITCH_${host} \
+	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
+        cecho "done"
+    fi
+done
+
+if [ -z "$BOOTING_HOSTS" ]
+then
+    exit 0
+fi
+
+cecho " * Waiting for the uml instances to finish booting"
+
+for host in $BOOTING_HOSTS
+do
+    cecho-n " * Checking on $host.."
+
+    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
+    do
+	cecho-n "."
+	sleep 5
+	let "count+=1"
+    done
+
+    if [ $count -ge $count_max ]
+    then
+	cecho "exit"
+	exit 1
+    fi
+
+    pid=`cat ~/.uml/$host/pid`
+    up=`ps up $pid | grep agetty | wc -l`
+
+    while [ $count -lt $count_max ] && [ $up -eq 0 ]
+    do
+	cecho-n "."
+	sleep 5
+	up=`ps up $pid | grep agetty | wc -l`
+	let "count+=1"
+    done
+
+    if [ $count -ge $count_max ]
+    then
+	cecho "exit"
+	exit 1
+    else
+	cecho "up"
+    fi
+done
+
+cecho " * All uml instances are up now"
diff --git a/testing/start-testing b/testing/start-testing
new file mode 100755
index 000000000..375a82be5
--- /dev/null
+++ b/testing/start-testing
@@ -0,0 +1,83 @@
+#!/bin/bash
+# Start up the specified UML instances and wait for them to finish booting
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: start-testing,v 1.4 2004/12/07 18:04:57 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/scripts/function.sh
+
+[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found"
+[ -d $DIR/hosts ] || die "Directory hosts cannot be found."
+
+source $DIR/testing.conf
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+#####################################################
+# start the uml switches
+#
+cecho "Start the uml switches  (scripts/start-switches)"
+$DIR/scripts/start-switches
+
+
+#####################################################
+# start the uml instances
+#
+case $UMLSTARTMODE in
+    konsole)
+	cecho "Start the uml instances  (scripts/kstart-umls)"
+	$DIR/scripts/kstart-umls $HOSTS
+	;;
+    xterm)
+	cecho "Start the uml instances  (scripts/xstart-umls)"
+	$DIR/scripts/xstart-umls $HOSTS
+	;;
+    screen)
+	cecho "Start the uml instances  (scripts/start-umls)"
+	$DIR/scripts/start-umls $HOSTS
+	;;
+    *)
+        die "The start mode is unknown! Please set $UMLSTARTMODE properly."
+	;;
+esac
+
+
+#####################################################
+# do the automated testing
+#
+if [ $ENABLE_DO_TESTS = "yes" ]
+then
+   cecho "Run the automated tests (do-tests)"
+   $DIR/do-tests
+fi
+
+
+##############################################################################
+# stop all UML instances and switches
+#
+
+if [ $ENABLE_STOP_TESTING = "yes" ]
+then
+   cecho "Stopping all UML instances and switches (stop-testing)"
+   $DIR/stop-testing $HOSTS
+fi
+
diff --git a/testing/stop-testing b/testing/stop-testing
new file mode 100755
index 000000000..5b53505ac
--- /dev/null
+++ b/testing/stop-testing
@@ -0,0 +1,51 @@
+#!/bin/bash
+# Stop all UML instances and UML switches
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: stop-testing,v 1.3 2004/12/07 18:04:57 as Exp $
+
+DIR=`dirname $0`
+
+source $DIR/scripts/function.sh
+
+[ -f $DIR/testing.conf ] || die "No configuration file testing.conf found."
+
+source $DIR/testing.conf
+
+if [ "$#" -eq 0 ]
+then
+    HOSTS=$STRONGSWANHOSTS
+else
+    HOSTS=$*
+fi
+
+#####################################################
+# Shutting down the uml instances
+#
+cecho-n " * Halting all UML instances.."
+for host in $HOSTS
+do
+    uml_mconsole $host halt &> /dev/null
+done
+cecho "done"
+
+#####################################################
+# Shutting down the uml switches
+#
+cecho-n " * Stopping the UML switches.."
+killall uml_switch &> /dev/null
+rm -f /tmp/umlswitch[012] &> /dev/null 2>&1
+cecho "done"
+
diff --git a/testing/testing.conf b/testing/testing.conf
new file mode 100755
index 000000000..92a138288
--- /dev/null
+++ b/testing/testing.conf
@@ -0,0 +1,154 @@
+#!/bin/bash
+# Global configuration file for strongswan UML testing.
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $
+
+# Root directory of testing
+UMLTESTDIR=~/strongswan-testing
+
+# Bzipped kernel sources
+# (file extension .tar.bz2 required)
+KERNEL=$UMLTESTDIR/linux-2.6.16.9.tar.bz2
+
+# Extract kernel version
+KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
+
+# Kernel configuration file
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.16
+
+# Bzipped uml patch for kernel
+# (not needed anymore for 2.6.9 kernel or higher)
+UMLPATCH=
+
+# Bzipped source of strongSwan
+STRONGSWAN=$UMLTESTDIR/strongswan-2.7.0.tar.bz2
+
+# strongSwan compile options (use "yes" or "no")
+USE_LIBCURL="yes"
+USE_LDAP="yes"
+
+# Gentoo linux root filesystem
+ROOTFS=$UMLTESTDIR/gentoo-fs-20060330.tar.bz2
+
+# Size of the finished root filesystem in MB
+ROOTFSSIZE=544
+
+# Amount of Memory to use per UML [MB].
+# If "auto" is stated 1/12 of total host ram will be used.
+# Examples: MEM=64, MEM="128", MEM="auto"
+MEM=64
+
+# Directory where the UML kernels and file system will be built
+BUILDDIR=$UMLTESTDIR/umlbuild
+
+# Filename of the built UML Kernel
+UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
+
+# Directory where test results will be stored
+TESTRESULTSDIR=$UMLTESTDIR/testresults
+
+# Timezone for the UMLs, look in /usr/share/zoneinfo!
+TZUML="Europe/Zurich"
+
+##############################################################
+# Enable particular steps in the make-testing and
+# start-testing scripts
+#
+ENABLE_BUILD_UMLKERNEL="yes"
+ENABLE_BUILD_SSHKEYS="yes"
+ENABLE_BUILD_HOSTCONFIG="yes"
+ENABLE_BUILD_UMLROOTFS="yes"
+ENABLE_BUILD_UMLHOSTFS="yes"
+ENABLE_START_TESTING="yes"
+ENABLE_DO_TESTS="yes"
+ENABLE_STOP_TESTING="no"
+
+##############################################################
+# How to start the UMLs?
+#
+# Start the UML instance in KDE konsole (requires KDE)
+UMLSTARTMODE="konsole"
+# Start the UML instance in an xterm (requires X11R6)
+# UMLSTARTMODE="xterm"
+# Start the UML instance without a terminal window
+# but screen -r <host> can open a window anytime
+# UMLSTARTMODE="screen"
+
+##############################################################
+# If set to "yes" only the tests stated at $SELECTEDTESTS
+# will be executed. (use "yes" or "no")
+#
+SELECTEDTESTSONLY="no"
+
+# Tests to do if $SELECTEDTESTSONLY is set "yes".
+#
+SELECTEDTESTS="net2net-cert"
+
+##############################################################
+# hostname and according IP(s)
+# You may change the IPs but keep them in the same net,
+# this means retain the netmasks!
+# Also don't use IPs ending with 254, they are reserved!
+#
+HOSTNAMEIPS="\
+alice:10.1.0.10 \
+venus:10.1.0.20 \
+moon:192.168.0.1:10.1.0.1 \
+carol:192.168.0.100:10.3.0.1 \
+winnetou:192.168.0.150 \
+dave:192.168.0.200:10.3.0.2 \
+sun:192.168.0.2:10.2.0.1 \
+bob:10.2.0.10"
+
+##############################################################
+# VPN gateways / clients
+# The hosts stated here will be created. Possible values
+# are sun, moon, dave, carol, alice, venus, bob, winnetou.
+# It's fine to make them all unless you don't have much
+# ressources. In this case we assume you know what you do!
+#
+STRONGSWANHOSTS="sun moon dave carol alice venus bob winnetou"
+
+##############################################################
+# Needed programs, do not change!
+#
+PROGRAMS="uml_switch uml_mconsole ssh ssh-keygen iptables \
+          chroot screen mkreiserfs"
+
+##############################################################
+# IP parameters of the UML switches
+#
+IFCONFIG_0="192.168.0.254 netmask 255.255.255.0"
+IFCONFIG_1="10.1.0.254 netmask 255.255.0.0"
+IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
+
+##############################################################
+# Network interfaces of the UML instances
+#
+SWITCH_alice="eth0=daemon,,unix,/tmp/umlswitch1"
+SWITCH_venus="eth0=daemon,,unix,/tmp/umlswitch1"
+SWITCH_moon="eth0=daemon,,unix,/tmp/umlswitch0 \
+             eth1=daemon,,unix,/tmp/umlswitch1"
+SWITCH_carol="eth0=daemon,,unix,/tmp/umlswitch0"
+SWITCH_winnetou="eth0=daemon,,unix,/tmp/umlswitch0"
+SWITCH_dave="eth0=daemon,,unix,/tmp/umlswitch0"
+SWITCH_sun="eth0=daemon,,unix,/tmp/umlswitch0 \
+            eth1=daemon,,unix,/tmp/umlswitch2"
+SWITCH_bob="eth0=daemon,,unix,/tmp/umlswitch2"
+
+
+
+
diff --git a/testing/tests/alg-blowfish/description.txt b/testing/tests/alg-blowfish/description.txt
new file mode 100644
index 000000000..cff0a1915
--- /dev/null
+++ b/testing/tests/alg-blowfish/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
+<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/alg-blowfish/evaltest.dat b/testing/tests/alg-blowfish/evaltest.dat
new file mode 100644
index 000000000..a9c9b803a
--- /dev/null
+++ b/testing/tests/alg-blowfish/evaltest.dat
@@ -0,0 +1,9 @@
+
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
+carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
+moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..fa68c9d3d
--- /dev/null
+++ b/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=blowfish256-sha2_512-modp4096!
+	esp=blowfish256-sha2_256!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..39916a7ba
--- /dev/null
+++ b/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=blowfish256-sha2_512-modp4096!
+	esp=blowfish256-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/alg-blowfish/posttest.dat b/testing/tests/alg-blowfish/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/alg-blowfish/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/alg-blowfish/pretest.dat b/testing/tests/alg-blowfish/pretest.dat
new file mode 100644
index 000000000..6d2eeb5f9
--- /dev/null
+++ b/testing/tests/alg-blowfish/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/alg-blowfish/test.conf b/testing/tests/alg-blowfish/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/alg-blowfish/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/alg-serpent/description.txt b/testing/tests/alg-serpent/description.txt
new file mode 100644
index 000000000..f49c0a1c0
--- /dev/null
+++ b/testing/tests/alg-serpent/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
+<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/alg-serpent/evaltest.dat b/testing/tests/alg-serpent/evaltest.dat
new file mode 100644
index 000000000..6b792538b
--- /dev/null
+++ b/testing/tests/alg-serpent/evaltest.dat
@@ -0,0 +1,9 @@
+
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
+carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
+moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5d2369924
--- /dev/null
+++ b/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=serpent256-sha2_512-modp4096!
+	esp=serpent256-sha2_256!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7bdddf008
--- /dev/null
+++ b/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=serpent256-sha2_512-modp4096!
+	esp=serpent256-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/alg-serpent/posttest.dat b/testing/tests/alg-serpent/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/alg-serpent/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/alg-serpent/pretest.dat b/testing/tests/alg-serpent/pretest.dat
new file mode 100644
index 000000000..6d2eeb5f9
--- /dev/null
+++ b/testing/tests/alg-serpent/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/alg-serpent/test.conf b/testing/tests/alg-serpent/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/alg-serpent/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/alg-sha2_256/description.txt b/testing/tests/alg-sha2_256/description.txt
new file mode 100644
index 000000000..900fcf017
--- /dev/null
+++ b/testing/tests/alg-sha2_256/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the rather strong cipher suite
+<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and 
+<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/alg-sha2_256/evaltest.dat b/testing/tests/alg-sha2_256/evaltest.dat
new file mode 100644
index 000000000..9b4caa278
--- /dev/null
+++ b/testing/tests/alg-sha2_256/evaltest.dat
@@ -0,0 +1,9 @@
+
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
+carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c55ae8ab1
--- /dev/null
+++ b/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes128-sha2_256-modp1536!
+	esp=aes128-sha2_256!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..748b1b85c
--- /dev/null
+++ b/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes128-sha2_256-modp1536!
+	esp=aes128-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/alg-sha2_256/posttest.dat b/testing/tests/alg-sha2_256/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/alg-sha2_256/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/alg-sha2_256/pretest.dat b/testing/tests/alg-sha2_256/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/alg-sha2_256/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/alg-sha2_256/test.conf b/testing/tests/alg-sha2_256/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/alg-sha2_256/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/alg-twofish/description.txt b/testing/tests/alg-twofish/description.txt
new file mode 100644
index 000000000..0015561ee
--- /dev/null
+++ b/testing/tests/alg-twofish/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
+<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/alg-twofish/evaltest.dat b/testing/tests/alg-twofish/evaltest.dat
new file mode 100644
index 000000000..0568eec6e
--- /dev/null
+++ b/testing/tests/alg-twofish/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
+carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
+moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..8e3037a3b
--- /dev/null
+++ b/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=twofish256-sha2_512-modp4096!
+	esp=twofish256-sha2_256!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..01004e94e
--- /dev/null
+++ b/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=twofish256-sha2_512-modp4096!
+	esp=twofish256-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/alg-twofish/posttest.dat b/testing/tests/alg-twofish/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/alg-twofish/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/alg-twofish/pretest.dat b/testing/tests/alg-twofish/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/alg-twofish/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/alg-twofish/test.conf b/testing/tests/alg-twofish/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/alg-twofish/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/attr-cert/description.txt b/testing/tests/attr-cert/description.txt
new file mode 100644
index 000000000..b7f809c36
--- /dev/null
+++ b/testing/tests/attr-cert/description.txt
@@ -0,0 +1,7 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b>
+is granted to members of the group 'Research' whereas <b>venus</b> can only
+be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors
+<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting',
+respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
+can reach <b>venus</b>.
\ No newline at end of file
diff --git a/testing/tests/attr-cert/evaltest.dat b/testing/tests/attr-cert/evaltest.dat
new file mode 100644
index 000000000..59f6eb76a
--- /dev/null
+++ b/testing/tests/attr-cert/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES
+moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES
+moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES
+moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..62fc49868
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..9d932dc54
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..bd72715ff
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightgroups=Research
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightgroups="Accounting, Sales"
+	auto=add
+	
diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
new file mode 100644
index 000000000..3c5c5d91d
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
+cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI
+wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6
+dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC
+fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB
+CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf
+NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC
+AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6
+5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
+Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
+QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg
+CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR
+aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY
+ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw
+YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v
+Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov
+wTLSA/z7c8nVCVoZI9Y=
+-----END CERTIFICATE-----
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem
new file mode 100644
index 000000000..209b48f3a
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj
+yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl
+BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf
+jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW
+C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi
+U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs
+cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K
+7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/
+zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2
+nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr
+zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n
+SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W
+G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq
+yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF
+IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO
+18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka
+wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf
+TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB
+mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7
+PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU
++THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS
+4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9
+eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg
+lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro
+n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem
new file mode 100644
index 000000000..abd1554e5
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
+2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
+LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
+RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
+UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
+98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
+8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
+Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
+P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
+UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
+0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
+5qILUTmI
+-----END CERTIFICATE-----
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf
new file mode 100644
index 000000000..134218eec
--- /dev/null
+++ b/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf
@@ -0,0 +1,4 @@
+--cert /etc/ipsec.d/aacerts/aaCert.pem
+--key /etc/openac/aaKey.pem
+--quiet
+--hours 8
diff --git a/testing/tests/attr-cert/posttest.dat b/testing/tests/attr-cert/posttest.dat
new file mode 100644
index 000000000..a59c3ff63
--- /dev/null
+++ b/testing/tests/attr-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/openac/*
+moon::rm /etc/ipsec.d/aacerts/aaCert.pem
+moon::rm /etc/ipsec.d/acerts/*
diff --git a/testing/tests/attr-cert/pretest.dat b/testing/tests/attr-cert/pretest.dat
new file mode 100644
index 000000000..b3fecaf3c
--- /dev/null
+++ b/testing/tests/attr-cert/pretest.dat
@@ -0,0 +1,12 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::cat /etc/openac/default.conf
+moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem
+moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/attr-cert/test.conf b/testing/tests/attr-cert/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/attr-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/compress/description.txt b/testing/tests/compress/description.txt
new file mode 100644
index 000000000..47829839d
--- /dev/null
+++ b/testing/tests/compress/description.txt
@@ -0,0 +1,3 @@
+This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
+the established tunnel with compression.
diff --git a/testing/tests/compress/evaltest.dat b/testing/tests/compress/evaltest.dat
new file mode 100644
index 000000000..ff72e1762
--- /dev/null
+++ b/testing/tests/compress/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::policy.*COMPRESS::YES
+carol::ipsec statusall::policy.*COMPRESS::YES
+moon::ipsec statusall::comp.::YES
+carol::ipsec statusall::comp.::YES
+carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/compress/hosts/carol/etc/ipsec.conf b/testing/tests/compress/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9462ba5e6
--- /dev/null
+++ b/testing/tests/compress/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	compress=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/compress/hosts/moon/etc/ipsec.conf b/testing/tests/compress/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b8dfae646
--- /dev/null
+++ b/testing/tests/compress/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	compress=yes
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/compress/posttest.dat b/testing/tests/compress/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/compress/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/compress/pretest.dat b/testing/tests/compress/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/compress/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/compress/test.conf b/testing/tests/compress/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/compress/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/crl-from-cache/description.txt b/testing/tests/crl-from-cache/description.txt
new file mode 100644
index 000000000..17866f572
--- /dev/null
+++ b/testing/tests/crl-from-cache/description.txt
@@ -0,0 +1,5 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
+an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
+their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
+the certificate received from their peer.
diff --git a/testing/tests/crl-from-cache/evaltest.dat b/testing/tests/crl-from-cache/evaltest.dat
new file mode 100644
index 000000000..dd200c8ef
--- /dev/null
+++ b/testing/tests/crl-from-cache/evaltest.dat
@@ -0,0 +1,10 @@
+moon::cat /var/log/auth.log::loaded crl file::YES
+carol::cat /var/log/auth.log::loaded crl file::YES
+moon::cat /var/log/auth.log::X.509 certificate rejected::NO
+carol::cat /var/log/auth.log::X.509 certificate rejected::NO
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::written crl file::NO
+carol::cat /var/log/auth.log::written crl file::NO
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..93c4d7956
--- /dev/null
+++ b/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ef9237518
--- /dev/null
+++ b/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/crl-from-cache/posttest.dat b/testing/tests/crl-from-cache/posttest.dat
new file mode 100644
index 000000000..be17847c1
--- /dev/null
+++ b/testing/tests/crl-from-cache/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/crl-from-cache/pretest.dat b/testing/tests/crl-from-cache/pretest.dat
new file mode 100644
index 000000000..acdb265ed
--- /dev/null
+++ b/testing/tests/crl-from-cache/pretest.dat
@@ -0,0 +1,8 @@
+moon::wget -q http://crl.strongswan.org/strongswan.crl
+moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+carol::wget -q http://crl.strongswan.org/strongswan.crl
+carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/crl-from-cache/test.conf b/testing/tests/crl-from-cache/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/crl-from-cache/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/crl-ldap/description.txt b/testing/tests/crl-ldap/description.txt
new file mode 100644
index 000000000..02dc0cbbe
--- /dev/null
+++ b/testing/tests/crl-ldap/description.txt
@@ -0,0 +1,9 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
+available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
+because the web server is currently not reachable. Thus the second Main Mode negotiation
+fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
+is triggered. When the third Main Mode trial comes around, the fetched CRL has become
+available and the IKE negotiation completes. The new CRL is again cached locally as a
+file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
diff --git a/testing/tests/crl-ldap/evaltest.dat b/testing/tests/crl-ldap/evaltest.dat
new file mode 100644
index 000000000..2b98e086a
--- /dev/null
+++ b/testing/tests/crl-ldap/evaltest.dat
@@ -0,0 +1,16 @@
+moon::cat /var/log/auth.log::loaded crl file::YES
+carol::cat /var/log/auth.log::loaded crl file::YES
+moon::cat /var/log/auth.log::crl update is overdue::YES
+carol::cat /var/log/auth.log::crl update is overdue::YES
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::cat /var/log/auth.log::Trying LDAP URL::YES
+carol::cat /var/log/auth.log::Trying LDAP URL::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::written crl file::YES
+carol::cat /var/log/auth.log::written crl file::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables
new file mode 100755
index 000000000..571459bae
--- /dev/null
+++ b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow ldap crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..669a47d06
--- /dev/null
+++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
new file mode 100644
index 000000000..75e8b0959
--- /dev/null
+++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
diff --git a/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..8de514a2e
--- /dev/null
+++ b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow ldap crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d5c0dd163
--- /dev/null
+++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,42 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
new file mode 100644
index 000000000..75e8b0959
--- /dev/null
+++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
diff --git a/testing/tests/crl-ldap/posttest.dat b/testing/tests/crl-ldap/posttest.dat
new file mode 100644
index 000000000..04f762331
--- /dev/null
+++ b/testing/tests/crl-ldap/posttest.dat
@@ -0,0 +1,9 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+winnetou::/etc/init.d/slapd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/crl-ldap/pretest.dat b/testing/tests/crl-ldap/pretest.dat
new file mode 100644
index 000000000..64fae2a16
--- /dev/null
+++ b/testing/tests/crl-ldap/pretest.dat
@@ -0,0 +1,7 @@
+winnetou::/etc/init.d/slapd start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/crl-ldap/test.conf b/testing/tests/crl-ldap/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/crl-ldap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/crl-revoked/description.txt b/testing/tests/crl-revoked/description.txt
new file mode 100644
index 000000000..780068ce6
--- /dev/null
+++ b/testing/tests/crl-revoked/description.txt
@@ -0,0 +1,7 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current CRL is available, the Main Mode negotiation fails
+and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
+When the second Main Mode trial comes around the fetched CRL will be available
+but because the certificate presented by carol has been revoked,
+the IKE negotatiation will fail.
diff --git a/testing/tests/crl-revoked/evaltest.dat b/testing/tests/crl-revoked/evaltest.dat
new file mode 100644
index 000000000..0fd1cae8c
--- /dev/null
+++ b/testing/tests/crl-revoked/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::certificate was revoked::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec listcrls:: ok::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5a1d246a6
--- /dev/null
+++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolRevokedCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
new file mode 100644
index 000000000..8aefcc5a6
--- /dev/null
+++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..8e31be4cb
--- /dev/null
+++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolRevokedKey.pem
diff --git a/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a8953f557
--- /dev/null
+++ b/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/crl-revoked/posttest.dat b/testing/tests/crl-revoked/posttest.dat
new file mode 100644
index 000000000..d742e8410
--- /dev/null
+++ b/testing/tests/crl-revoked/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/crl-revoked/pretest.dat b/testing/tests/crl-revoked/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/crl-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/crl-revoked/test.conf b/testing/tests/crl-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/crl-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/crl-strict/description.txt b/testing/tests/crl-strict/description.txt
new file mode 100644
index 000000000..97011482e
--- /dev/null
+++ b/testing/tests/crl-strict/description.txt
@@ -0,0 +1,6 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current CRL is available, the Main Mode negotiation fails
+but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
+When the second Main Mode trial comes around, the fetched CRL will be available
+and the IKE negotiation completes.
diff --git a/testing/tests/crl-strict/evaltest.dat b/testing/tests/crl-strict/evaltest.dat
new file mode 100644
index 000000000..1d7adb05e
--- /dev/null
+++ b/testing/tests/crl-strict/evaltest.dat
@@ -0,0 +1,8 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6d0aee86a
--- /dev/null
+++ b/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a8953f557
--- /dev/null
+++ b/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/crl-strict/posttest.dat b/testing/tests/crl-strict/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/crl-strict/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/crl-strict/pretest.dat b/testing/tests/crl-strict/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/crl-strict/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/crl-strict/test.conf b/testing/tests/crl-strict/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/crl-strict/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/crl-to-cache/description.txt b/testing/tests/crl-to-cache/description.txt
new file mode 100644
index 000000000..9f542e73d
--- /dev/null
+++ b/testing/tests/crl-to-cache/description.txt
@@ -0,0 +1,6 @@
+By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
+via http from the web server <b>winnetou</b> is saved locally in the
+directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
+and the gateway <b>moon</b> when the IPsec connection is set up. The
+<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
+is used as a unique filename for the cached CRL. 
diff --git a/testing/tests/crl-to-cache/evaltest.dat b/testing/tests/crl-to-cache/evaltest.dat
new file mode 100644
index 000000000..be7737185
--- /dev/null
+++ b/testing/tests/crl-to-cache/evaltest.dat
@@ -0,0 +1,4 @@
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..955f08b1f
--- /dev/null
+++ b/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	cachecrls=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..885354ab5
--- /dev/null
+++ b/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	cachecrls=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/crl-to-cache/posttest.dat b/testing/tests/crl-to-cache/posttest.dat
new file mode 100644
index 000000000..be17847c1
--- /dev/null
+++ b/testing/tests/crl-to-cache/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/crl-to-cache/pretest.dat b/testing/tests/crl-to-cache/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/crl-to-cache/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/crl-to-cache/test.conf b/testing/tests/crl-to-cache/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/crl-to-cache/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/default-keys/description.txt b/testing/tests/default-keys/description.txt
new file mode 100644
index 000000000..639e909da
--- /dev/null
+++ b/testing/tests/default-keys/description.txt
@@ -0,0 +1,8 @@
+Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
+and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
+and a self-signed X.509 certificate. Because the UML testing environment does
+not offer enough entropy, the non-blocking /dev/urandom device is used in place
+of /dev/random for generating the random primes.
+<p>
+The self-signed certificates are then distributed to the peers via scp
+and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/default-keys/evaltest.dat b/testing/tests/default-keys/evaltest.dat
new file mode 100644
index 000000000..f190d7066
--- /dev/null
+++ b/testing/tests/default-keys/evaltest.dat
@@ -0,0 +1,7 @@
+carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
+moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/default-keys/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c4bb10a65
--- /dev/null
+++ b/testing/tests/default-keys/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=0
+	strictcrlpolicy=no
+	nocrsend=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=selfCert.der
+	leftsendcert=never
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=peerCert.der
+	auto=add
diff --git a/testing/tests/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/default-keys/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..13ad3063f
--- /dev/null
+++ b/testing/tests/default-keys/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/default-keys/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..eeeec645b
--- /dev/null
+++ b/testing/tests/default-keys/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=0
+	strictcrlpolicy=no
+	nocrsend=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn carol
+	left=192.168.0.1
+	leftnexthop=%direct
+	leftcert=selfCert.der
+	leftsendcert=never
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightcert=peerCert.der
+	auto=add
+
diff --git a/testing/tests/default-keys/posttest.dat b/testing/tests/default-keys/posttest.dat
new file mode 100644
index 000000000..52b48b9ef
--- /dev/null
+++ b/testing/tests/default-keys/posttest.dat
@@ -0,0 +1,10 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/default-keys/pretest.dat b/testing/tests/default-keys/pretest.dat
new file mode 100644
index 000000000..54f70cbe9
--- /dev/null
+++ b/testing/tests/default-keys/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::rm /etc/ipsec.secrets
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+moon::sleep 4 
+moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
+moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
+moon::ipsec reload 
+carol::ipsec reload 
+carol::ipsec up home
diff --git a/testing/tests/default-keys/test.conf b/testing/tests/default-keys/test.conf
new file mode 100644
index 000000000..0baa48d90
--- /dev/null
+++ b/testing/tests/default-keys/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/double-nat-net/description.txt b/testing/tests/double-nat-net/description.txt
new file mode 100644
index 000000000..ff09155f6
--- /dev/null
+++ b/testing/tests/double-nat-net/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
+tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
+directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
+using destination NAT.  UDP encapsulation is used to traverse the NAT routers.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test the double NAT-ed IPsec
+tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.
diff --git a/testing/tests/double-nat-net/evaltest.dat b/testing/tests/double-nat-net/evaltest.dat
new file mode 100644
index 000000000..41eba6501
--- /dev/null
+++ b/testing/tests/double-nat-net/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP1_SUN::64 bytes from PH_IP1_SUN: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..395e62e7c
--- /dev/null
+++ b/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=bob@strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf
new file mode 100755
index 000000000..6927a5ce4
--- /dev/null
+++ b/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.2.0.0/16
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsubnetwithin=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/double-nat-net/posttest.dat b/testing/tests/double-nat-net/posttest.dat
new file mode 100644
index 000000000..0eb2c0d6c
--- /dev/null
+++ b/testing/tests/double-nat-net/posttest.dat
@@ -0,0 +1,9 @@
+alice::iptables -v -n -L
+bob::iptables -v -n -L
+bob::ipsec stop
+alice::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+bob::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+sun::iptables -t nat -F
+sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/double-nat-net/pretest.dat b/testing/tests/double-nat-net/pretest.dat
new file mode 100644
index 000000000..84bc15092
--- /dev/null
+++ b/testing/tests/double-nat-net/pretest.dat
@@ -0,0 +1,15 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+bob::/etc/init.d/iptables start 2> /dev/null
+bob::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
+sun::ip route add 10.1.0.0/16 via PH_IP_BOB
+alice::ipsec start
+bob::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+
diff --git a/testing/tests/double-nat-net/test.conf b/testing/tests/double-nat-net/test.conf
new file mode 100644
index 000000000..1ca2ffe5a
--- /dev/null
+++ b/testing/tests/double-nat-net/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/double-nat/description.txt b/testing/tests/double-nat/description.txt
new file mode 100644
index 000000000..ce7de0e56
--- /dev/null
+++ b/testing/tests/double-nat/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
+the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to
+traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based
+firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec
+tunnel <b>alice</b> pings <b>bob</b>.
diff --git a/testing/tests/double-nat/evaltest.dat b/testing/tests/double-nat/evaltest.dat
new file mode 100644
index 000000000..05e751422
--- /dev/null
+++ b/testing/tests/double-nat/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/double-nat/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..5b3cddb63
--- /dev/null
+++ b/testing/tests/double-nat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=bob@strongswan.org
+	rightsubnet=PH_IP_BOB/32
+	auto=add
diff --git a/testing/tests/double-nat/posttest.dat b/testing/tests/double-nat/posttest.dat
new file mode 100644
index 000000000..07f22d07d
--- /dev/null
+++ b/testing/tests/double-nat/posttest.dat
@@ -0,0 +1,8 @@
+alice::iptables -v -n -L
+bob::iptables -v -n -L
+bob::ipsec stop
+alice::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+bob::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+sun::iptables -t nat -F
diff --git a/testing/tests/double-nat/pretest.dat b/testing/tests/double-nat/pretest.dat
new file mode 100644
index 000000000..cf495b778
--- /dev/null
+++ b/testing/tests/double-nat/pretest.dat
@@ -0,0 +1,13 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+bob::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
+alice::ipsec start
+bob::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+
diff --git a/testing/tests/double-nat/test.conf b/testing/tests/double-nat/test.conf
new file mode 100644
index 000000000..1ca2ffe5a
--- /dev/null
+++ b/testing/tests/double-nat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/dpd-clear/description.txt b/testing/tests/dpd-clear/description.txt
new file mode 100644
index 000000000..f76b2d741
--- /dev/null
+++ b/testing/tests/dpd-clear/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
+which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
+When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
+<b>moon</b> clears the connection after the configured timeout of 30 s.
+
diff --git a/testing/tests/dpd-clear/evaltest.dat b/testing/tests/dpd-clear/evaltest.dat
new file mode 100644
index 000000000..98d5b146b
--- /dev/null
+++ b/testing/tests/dpd-clear/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon::sleep 50::no output expected::NO
+moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
+moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
+moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
+moon::cat /var/log/auth.log::DPD: Clearing connection::YES
diff --git a/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..cac521c8f
--- /dev/null
+++ b/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	dpdaction=clear
+	dpddelay=10
+	dpdtimeout=30
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
+
+
+
diff --git a/testing/tests/dpd-clear/posttest.dat b/testing/tests/dpd-clear/posttest.dat
new file mode 100644
index 000000000..931db4272
--- /dev/null
+++ b/testing/tests/dpd-clear/posttest.dat
@@ -0,0 +1,3 @@
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/dpd-clear/pretest.dat b/testing/tests/dpd-clear/pretest.dat
new file mode 100644
index 000000000..14ed95322
--- /dev/null
+++ b/testing/tests/dpd-clear/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/dpd-clear/test.conf b/testing/tests/dpd-clear/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/dpd-clear/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/esp-ah-transport/description.txt b/testing/tests/esp-ah-transport/description.txt
new file mode 100644
index 000000000..c7918fa38
--- /dev/null
+++ b/testing/tests/esp-ah-transport/description.txt
@@ -0,0 +1,5 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
+marks all incoming AH packets with the ESP mark. The transport mode connection is
+tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
diff --git a/testing/tests/esp-ah-transport/evaltest.dat b/testing/tests/esp-ah-transport/evaltest.dat
new file mode 100644
index 000000000..7c498ad83
--- /dev/null
+++ b/testing/tests/esp-ah-transport/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
+carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
+moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
+moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables
new file mode 100755
index 000000000..8c8817539
--- /dev/null
+++ b/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow AH
+	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+			
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..13ab3e07f
--- /dev/null
+++ b/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	auth=ah
+	ike=aes128-sha
+	esp=aes128-sha1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..3e8922581
--- /dev/null
+++ b/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow AH
+	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..809f3c74b
--- /dev/null
+++ b/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	auth=ah
+	ike=aes128-sha
+	esp=aes128-sha1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightid=carol@strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/esp-ah-transport/posttest.dat b/testing/tests/esp-ah-transport/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/esp-ah-transport/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/esp-ah-transport/pretest.dat b/testing/tests/esp-ah-transport/pretest.dat
new file mode 100644
index 000000000..bd68efb0b
--- /dev/null
+++ b/testing/tests/esp-ah-transport/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-ah-transport/test.conf b/testing/tests/esp-ah-transport/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/esp-ah-transport/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/esp-ah-tunnel/description.txt b/testing/tests/esp-ah-tunnel/description.txt
new file mode 100644
index 000000000..809f28c57
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/description.txt
@@ -0,0 +1,6 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
+marks all incoming AH packets with the ESP mark. The tunnel mode connection is
+tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind 
+gateway <b>moon</b>.
diff --git a/testing/tests/esp-ah-tunnel/evaltest.dat b/testing/tests/esp-ah-tunnel/evaltest.dat
new file mode 100644
index 000000000..8f4a99641
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
+moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
+moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
new file mode 100755
index 000000000..8c8817539
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow AH
+	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+			
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..98cdaab7a
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	auth=ah
+	ike=aes128-sha
+	esp=aes128-sha1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..3e8922581
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow AH
+	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7f976376d
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	auth=ah
+	ike=aes128-sha
+	esp=aes128-sha1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/esp-ah-tunnel/posttest.dat b/testing/tests/esp-ah-tunnel/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/esp-ah-tunnel/pretest.dat b/testing/tests/esp-ah-tunnel/pretest.dat
new file mode 100644
index 000000000..bd68efb0b
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-ah-tunnel/test.conf b/testing/tests/esp-ah-tunnel/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/esp-ah-tunnel/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/esp-alg-des/description.txt b/testing/tests/esp-alg-des/description.txt
new file mode 100644
index 000000000..9546569dd
--- /dev/null
+++ b/testing/tests/esp-alg-des/description.txt
@@ -0,0 +1,5 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must
+explicitly accept the choice of this insecure algorithm by setting the strict
+flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> 
+sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/esp-alg-des/evaltest.dat b/testing/tests/esp-alg-des/evaltest.dat
new file mode 100644
index 000000000..8e06392f1
--- /dev/null
+++ b/testing/tests/esp-alg-des/evaltest.dat
@@ -0,0 +1,6 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
+carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b4f067b6d
--- /dev/null
+++ b/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-md5-modp1024!
+	esp=des-md5!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9513f810d
--- /dev/null
+++ b/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=3des-md5-modp1024!
+	esp=des-md5!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-des/posttest.dat b/testing/tests/esp-alg-des/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/esp-alg-des/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/esp-alg-des/pretest.dat b/testing/tests/esp-alg-des/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/esp-alg-des/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-alg-des/test.conf b/testing/tests/esp-alg-des/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/esp-alg-des/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/esp-alg-null/description.txt b/testing/tests/esp-alg-null/description.txt
new file mode 100644
index 000000000..7880a799c
--- /dev/null
+++ b/testing/tests/esp-alg-null/description.txt
@@ -0,0 +1,5 @@
+In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
+the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must
+explicitly accept the choice of this insecure algorithm by setting the strict
+flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> 
+sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/esp-alg-null/evaltest.dat b/testing/tests/esp-alg-null/evaltest.dat
new file mode 100644
index 000000000..de2f2a571
--- /dev/null
+++ b/testing/tests/esp-alg-null/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
+carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b732eba93
--- /dev/null
+++ b/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes-128-sha
+	esp=null-sha1!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..af11591a1
--- /dev/null
+++ b/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes128-sha!
+	esp=null-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-null/posttest.dat b/testing/tests/esp-alg-null/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/esp-alg-null/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/esp-alg-null/pretest.dat b/testing/tests/esp-alg-null/pretest.dat
new file mode 100644
index 000000000..f5aa989fe
--- /dev/null
+++ b/testing/tests/esp-alg-null/pretest.dat
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-alg-null/test.conf b/testing/tests/esp-alg-null/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/esp-alg-null/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/esp-alg-strict-fail/description.txt b/testing/tests/esp-alg-strict-fail/description.txt
new file mode 100644
index 000000000..03c655480
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
+<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
+<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/esp-alg-strict-fail/evaltest.dat b/testing/tests/esp-alg-strict-fail/evaltest.dat
new file mode 100644
index 000000000..6f2024ff9
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
+carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
+moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
+moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ae8d2b772
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-sha
+	esp=3des-sha1
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2dd1c763a
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes128-sha
+	esp=aes128-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-strict-fail/posttest.dat b/testing/tests/esp-alg-strict-fail/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/esp-alg-strict-fail/pretest.dat b/testing/tests/esp-alg-strict-fail/pretest.dat
new file mode 100644
index 000000000..f5aa989fe
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/pretest.dat
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-alg-strict-fail/test.conf b/testing/tests/esp-alg-strict-fail/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/esp-alg-strict-fail/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/esp-alg-strict/description.txt b/testing/tests/esp-alg-strict/description.txt
new file mode 100644
index 000000000..b4fc08253
--- /dev/null
+++ b/testing/tests/esp-alg-strict/description.txt
@@ -0,0 +1,7 @@
+Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with
+SHA-1 authentication) in the first place and <b>AES-128</b> encryption in
+second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
+<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed
+by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
+<b>esp=aes-128-sha1!</b> by applying the strict flag '!'.
+
diff --git a/testing/tests/esp-alg-strict/evaltest.dat b/testing/tests/esp-alg-strict/evaltest.dat
new file mode 100644
index 000000000..d5dd12d4e
--- /dev/null
+++ b/testing/tests/esp-alg-strict/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
+moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
+carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
diff --git a/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5a14de070
--- /dev/null
+++ b/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-sha,aes-128-sha
+	esp=3des-sha1,aes-128-sha1
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2dd1c763a
--- /dev/null
+++ b/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes128-sha
+	esp=aes128-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-strict/posttest.dat b/testing/tests/esp-alg-strict/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/esp-alg-strict/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/esp-alg-strict/pretest.dat b/testing/tests/esp-alg-strict/pretest.dat
new file mode 100644
index 000000000..f5aa989fe
--- /dev/null
+++ b/testing/tests/esp-alg-strict/pretest.dat
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-alg-strict/test.conf b/testing/tests/esp-alg-strict/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/esp-alg-strict/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/esp-alg-weak/description.txt b/testing/tests/esp-alg-weak/description.txt
new file mode 100644
index 000000000..ffb6882f5
--- /dev/null
+++ b/testing/tests/esp-alg-weak/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication
+as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
+not use an explicit <b>esp</b> statement any strong encryption algorithm will be
+accepted but any weak key length will be rejected by default and thus the ISAKMP SA
+is bound to fail.
diff --git a/testing/tests/esp-alg-weak/evaltest.dat b/testing/tests/esp-alg-weak/evaltest.dat
new file mode 100644
index 000000000..72b14e805
--- /dev/null
+++ b/testing/tests/esp-alg-weak/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES
+moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b4f067b6d
--- /dev/null
+++ b/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-md5-modp1024!
+	esp=des-md5!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..3f07213ae
--- /dev/null
+++ b/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-weak/posttest.dat b/testing/tests/esp-alg-weak/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/esp-alg-weak/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/esp-alg-weak/pretest.dat b/testing/tests/esp-alg-weak/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/esp-alg-weak/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/esp-alg-weak/test.conf b/testing/tests/esp-alg-weak/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/esp-alg-weak/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/host2host-cert/description.txt b/testing/tests/host2host-cert/description.txt
new file mode 100644
index 000000000..6be21bf8f
--- /dev/null
+++ b/testing/tests/host2host-cert/description.txt
@@ -0,0 +1,4 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/host2host-cert/evaltest.dat b/testing/tests/host2host-cert/evaltest.dat
new file mode 100644
index 000000000..d19f970f2
--- /dev/null
+++ b/testing/tests/host2host-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/host2host-cert/posttest.dat b/testing/tests/host2host-cert/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/host2host-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/host2host-cert/pretest.dat b/testing/tests/host2host-cert/pretest.dat
new file mode 100644
index 000000000..3536fd886
--- /dev/null
+++ b/testing/tests/host2host-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up host-host
diff --git a/testing/tests/host2host-cert/test.conf b/testing/tests/host2host-cert/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/host2host-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/host2host-swapped/description.txt b/testing/tests/host2host-swapped/description.txt
new file mode 100644
index 000000000..34cfe43cc
--- /dev/null
+++ b/testing/tests/host2host-swapped/description.txt
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/host2host-swapped/evaltest.dat b/testing/tests/host2host-swapped/evaltest.dat
new file mode 100644
index 000000000..d19f970f2
--- /dev/null
+++ b/testing/tests/host2host-swapped/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..4b66a5ecb
--- /dev/null
+++ b/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn host-host
+	right=PH_IP_MOON
+	rightnexthop=%direct
+	rightcert=moonCert.pem
+	rightid=@moon.strongswan.org
+	rightfirewall=yes
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..a58894b33
--- /dev/null
+++ b/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn host-host
+	right=PH_IP_SUN
+	rightnexthop=%direct
+	rightcert=sunCert.pem
+	rightfirewall=yes
+	rightid=@sun.strongswan.org
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/host2host-swapped/posttest.dat b/testing/tests/host2host-swapped/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/host2host-swapped/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/host2host-swapped/pretest.dat b/testing/tests/host2host-swapped/pretest.dat
new file mode 100644
index 000000000..e2d98f2eb
--- /dev/null
+++ b/testing/tests/host2host-swapped/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/host2host-swapped/test.conf b/testing/tests/host2host-swapped/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/host2host-swapped/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/host2host-transport/description.txt b/testing/tests/host2host-transport/description.txt
new file mode 100644
index 000000000..fe3482c96
--- /dev/null
+++ b/testing/tests/host2host-transport/description.txt
@@ -0,0 +1,4 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/host2host-transport/evaltest.dat b/testing/tests/host2host-transport/evaltest.dat
new file mode 100644
index 000000000..d19f970f2
--- /dev/null
+++ b/testing/tests/host2host-transport/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..af5000fa8
--- /dev/null
+++ b/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+
+conn host-host
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..10bea9847
--- /dev/null
+++ b/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	type=transport
+	auto=add
+
diff --git a/testing/tests/host2host-transport/posttest.dat b/testing/tests/host2host-transport/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/host2host-transport/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/host2host-transport/pretest.dat b/testing/tests/host2host-transport/pretest.dat
new file mode 100644
index 000000000..e2d98f2eb
--- /dev/null
+++ b/testing/tests/host2host-transport/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/host2host-transport/test.conf b/testing/tests/host2host-transport/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/host2host-transport/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ike-alg-sha2_512/description.txt b/testing/tests/ike-alg-sha2_512/description.txt
new file mode 100644
index 000000000..1bec4b8c6
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite
+<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and
+<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ike-alg-sha2_512/evaltest.dat b/testing/tests/ike-alg-sha2_512/evaltest.dat
new file mode 100644
index 000000000..dbd35429c
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
+carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
+moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..1f73cdc21
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes256-sha2_512-modp8192!
+	esp=aes256-sha2_256!
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..90911997e
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes256-sha2_512-modp8192!
+	esp=aes256-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-sha2_512/posttest.dat b/testing/tests/ike-alg-sha2_512/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ike-alg-sha2_512/pretest.dat b/testing/tests/ike-alg-sha2_512/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ike-alg-sha2_512/test.conf b/testing/tests/ike-alg-sha2_512/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/ike-alg-sha2_512/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ike-alg-strict-fail/description.txt b/testing/tests/ike-alg-strict-fail/description.txt
new file mode 100644
index 000000000..03c655480
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
+<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
+<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ike-alg-strict-fail/evaltest.dat b/testing/tests/ike-alg-strict-fail/evaltest.dat
new file mode 100644
index 000000000..931b8855a
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
+moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
diff --git a/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ae8d2b772
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-sha
+	esp=3des-sha1
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..85cd235dc
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes128-sha!
+	esp=aes128-sha1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-strict-fail/posttest.dat b/testing/tests/ike-alg-strict-fail/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ike-alg-strict-fail/pretest.dat b/testing/tests/ike-alg-strict-fail/pretest.dat
new file mode 100644
index 000000000..f5aa989fe
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/pretest.dat
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ike-alg-strict-fail/test.conf b/testing/tests/ike-alg-strict-fail/test.conf
new file mode 100644
index 000000000..7e7848831
--- /dev/null
+++ b/testing/tests/ike-alg-strict-fail/test.conf
@@ -0,0 +1,21 @@
+##!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ike-alg-strict/description.txt b/testing/tests/ike-alg-strict/description.txt
new file mode 100644
index 000000000..35d266e20
--- /dev/null
+++ b/testing/tests/ike-alg-strict/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place
+and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA.
+The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', 
+but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
+defines itself <b>esp=aes-128-sha1</b> only.
diff --git a/testing/tests/ike-alg-strict/evaltest.dat b/testing/tests/ike-alg-strict/evaltest.dat
new file mode 100644
index 000000000..46140be8a
--- /dev/null
+++ b/testing/tests/ike-alg-strict/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
+moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
+moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
+carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
+carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
diff --git a/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5a14de070
--- /dev/null
+++ b/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-sha,aes-128-sha
+	esp=3des-sha1,aes-128-sha1
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..85cd235dc
--- /dev/null
+++ b/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	ike=aes128-sha!
+	esp=aes128-sha1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-strict/posttest.dat b/testing/tests/ike-alg-strict/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ike-alg-strict/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ike-alg-strict/pretest.dat b/testing/tests/ike-alg-strict/pretest.dat
new file mode 100644
index 000000000..f5aa989fe
--- /dev/null
+++ b/testing/tests/ike-alg-strict/pretest.dat
@@ -0,0 +1,4 @@
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ike-alg-strict/test.conf b/testing/tests/ike-alg-strict/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ike-alg-strict/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/mode-config-swapped/description.txt b/testing/tests/mode-config-swapped/description.txt
new file mode 100644
index 000000000..e29e6f654
--- /dev/null
+++ b/testing/tests/mode-config-swapped/description.txt
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/mode-config-swapped/evaltest.dat b/testing/tests/mode-config-swapped/evaltest.dat
new file mode 100644
index 000000000..be8ca6ef5
--- /dev/null
+++ b/testing/tests/mode-config-swapped/evaltest.dat
@@ -0,0 +1,16 @@
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES
diff --git a/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..bee23f4df
--- /dev/null
+++ b/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	right=PH_IP_CAROL
+	rightsourceip=%modeconfig
+	rightnexthop=%direct
+	rightcert=carolCert.pem
+	rightid=carol@strongswan.org
+	rightfirewall=yes
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..698cd9673
--- /dev/null
+++ b/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	right=PH_IP_DAVE
+	rightsourceip=%modeconfig
+	rightnexthop=%direct
+	rightcert=daveCert.pem
+	rightid=dave@strongswan.org
+	rightfirewall=yes
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b9e401080
--- /dev/null
+++ b/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightsourceip=PH_IP1_MOON
+	rightnexthop=%direct
+	rightcert=moonCert.pem
+	rightid=@moon.strongswan.org
+	rightfirewall=yes
+
+conn rw-carol
+	left=%any
+	leftid=carol@strongswan.org
+	leftsourceip=PH_IP1_CAROL
+	auto=add
+
+conn rw-dave
+	left=%any
+	leftid=dave@strongswan.org
+	leftsourceip=PH_IP1_DAVE
+	auto=add
diff --git a/testing/tests/mode-config-swapped/posttest.dat b/testing/tests/mode-config-swapped/posttest.dat
new file mode 100644
index 000000000..932b319a7
--- /dev/null
+++ b/testing/tests/mode-config-swapped/posttest.dat
@@ -0,0 +1,11 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+dave::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP1_CAROL/32 dev eth0
+dave::ip addr del PH_IP1_DAVE/32 dev eth0
diff --git a/testing/tests/mode-config-swapped/pretest.dat b/testing/tests/mode-config-swapped/pretest.dat
new file mode 100644
index 000000000..1e45f00fd
--- /dev/null
+++ b/testing/tests/mode-config-swapped/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/mode-config-swapped/test.conf b/testing/tests/mode-config-swapped/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/mode-config-swapped/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/mode-config/description.txt b/testing/tests/mode-config/description.txt
new file mode 100644
index 000000000..3e67f83f1
--- /dev/null
+++ b/testing/tests/mode-config/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
+by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/mode-config/evaltest.dat b/testing/tests/mode-config/evaltest.dat
new file mode 100644
index 000000000..be8ca6ef5
--- /dev/null
+++ b/testing/tests/mode-config/evaltest.dat
@@ -0,0 +1,16 @@
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES
diff --git a/testing/tests/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/mode-config/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..598997b45
--- /dev/null
+++ b/testing/tests/mode-config/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..da601389c
--- /dev/null
+++ b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/mode-config/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..49333e217
--- /dev/null
+++ b/testing/tests/mode-config/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP1_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw-carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP1_CAROL
+	auto=add
+
+conn rw-dave
+	right=%any
+	rightid=dave@strongswan.org
+	rightsourceip=PH_IP1_DAVE
+	auto=add
diff --git a/testing/tests/mode-config/posttest.dat b/testing/tests/mode-config/posttest.dat
new file mode 100644
index 000000000..932b319a7
--- /dev/null
+++ b/testing/tests/mode-config/posttest.dat
@@ -0,0 +1,11 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+dave::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP1_CAROL/32 dev eth0
+dave::ip addr del PH_IP1_DAVE/32 dev eth0
diff --git a/testing/tests/mode-config/pretest.dat b/testing/tests/mode-config/pretest.dat
new file mode 100644
index 000000000..1e45f00fd
--- /dev/null
+++ b/testing/tests/mode-config/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/mode-config/test.conf b/testing/tests/mode-config/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/mode-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/multi-level-ca-ldap/description.txt b/testing/tests/multi-level-ca-ldap/description.txt
new file mode 100644
index 000000000..18fb88840
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/description.txt
@@ -0,0 +1,11 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p>
+By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
+Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the
+connection setups can be successfully completed.
diff --git a/testing/tests/multi-level-ca-ldap/evaltest.dat b/testing/tests/multi-level-ca-ldap/evaltest.dat
new file mode 100644
index 000000000..f504706e2
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
+dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::cat /var/log/auth.log::Trying LDAP URL::YES
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..222c3cf67
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+ca strongswan
+        cacert=strongswanCert.pem
+        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+        auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..bfa0ebba3
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..8de514a2e
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow ldap crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e2b60589b
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,47 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+ca research 
+        cacert=researchCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+	
+ca sales 
+        cacert=salesCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+			
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
+	
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-ldap/posttest.dat b/testing/tests/multi-level-ca-ldap/posttest.dat
new file mode 100644
index 000000000..e618fc419
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/posttest.dat
@@ -0,0 +1,8 @@
+moon::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+winnetou::/etc/init.d/slapd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/multi-level-ca-ldap/pretest.dat b/testing/tests/multi-level-ca-ldap/pretest.dat
new file mode 100644
index 000000000..322f42102
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/pretest.dat
@@ -0,0 +1,10 @@
+winnetou::/etc/init.d/slapd start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/multi-level-ca-ldap/test.conf b/testing/tests/multi-level-ca-ldap/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/multi-level-ca-ldap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/multi-level-ca-loop/description.txt b/testing/tests/multi-level-ca-loop/description.txt
new file mode 100644
index 000000000..9b63c2c66
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>carol</b>, possessing a certificate issued by the
+Research CA, tries to set up a tunnel to gateway <b>moon</b>.
+The Research CA's certificate is signed by the Sales CA and
+the Sales CA's certificate in turn is signed by the Research CA.
+This leads to an endless trust path loop but which is aborted by
+<b>moon</b> when the path level reaches a depth of 7 iterations.
diff --git a/testing/tests/multi-level-ca-loop/evaltest.dat b/testing/tests/multi-level-ca-loop/evaltest.dat
new file mode 100644
index 000000000..781a7b4ac
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/evaltest.dat
@@ -0,0 +1,3 @@
+moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c56678b59
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..343042f15
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
new file mode 100644
index 000000000..efb939e3a
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
+CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
+rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
+BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
+4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
+m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
+/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
+x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB
+AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr
+Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup
+Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg
+pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL
+rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S
+uaJ2yDwEhOHn3ihb1bqlanM=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
new file mode 100644
index 000000000..90e207c4b
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx
+MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
+/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
+4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
+XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
+kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
+gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
+p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD
+ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO
+clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB
+b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI
+koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf
+Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA
+/szZoxwnE2iHtIoMAhfHZpRvOkg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-loop/posttest.dat b/testing/tests/multi-level-ca-loop/posttest.dat
new file mode 100644
index 000000000..076f51f4d
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/multi-level-ca-loop/pretest.dat b/testing/tests/multi-level-ca-loop/pretest.dat
new file mode 100644
index 000000000..0a0ec22bf
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/pretest.dat
@@ -0,0 +1,6 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
diff --git a/testing/tests/multi-level-ca-loop/test.conf b/testing/tests/multi-level-ca-loop/test.conf
new file mode 100644
index 000000000..3189fdfc7
--- /dev/null
+++ b/testing/tests/multi-level-ca-loop/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/multi-level-ca-revoked/description.txt b/testing/tests/multi-level-ca-revoked/description.txt
new file mode 100644
index 000000000..c91ac285b
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/description.txt
@@ -0,0 +1,4 @@
+The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA.
+The certificate of the Research CA has been revoked by the Root CA by entering
+the serial number in the CRL. Therefore upon verification of the trust path
+the gateway <b>moon</b> will reject the roadwarrior's certificate  
diff --git a/testing/tests/multi-level-ca-revoked/evaltest.dat b/testing/tests/multi-level-ca-revoked/evaltest.dat
new file mode 100644
index 000000000..0fd1cae8c
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::certificate was revoked::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec listcrls:: ok::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6d0aee86a
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..39a298de9
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..c380a5110
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
+LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
+6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
+T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
+9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
+cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
+YO2C4HE=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-revoked/posttest.dat b/testing/tests/multi-level-ca-revoked/posttest.dat
new file mode 100644
index 000000000..f84b7e37b
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/multi-level-ca-revoked/pretest.dat b/testing/tests/multi-level-ca-revoked/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/multi-level-ca-revoked/test.conf b/testing/tests/multi-level-ca-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/multi-level-ca-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/multi-level-ca-strict/description.txt b/testing/tests/multi-level-ca-strict/description.txt
new file mode 100644
index 000000000..32413e3de
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/description.txt
@@ -0,0 +1,10 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p>
+By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
+Sales CAs must be fetched first, before the connection setups can be successfully completed.
diff --git a/testing/tests/multi-level-ca-strict/evaltest.dat b/testing/tests/multi-level-ca-strict/evaltest.dat
new file mode 100644
index 000000000..5a181a62d
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/evaltest.dat
@@ -0,0 +1,12 @@
+moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
+dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..de179c565
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..2fb6a301e
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..6ed262d20
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
+	
diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca-strict/posttest.dat b/testing/tests/multi-level-ca-strict/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/multi-level-ca-strict/pretest.dat b/testing/tests/multi-level-ca-strict/pretest.dat
new file mode 100644
index 000000000..67c50c2ef
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/multi-level-ca-strict/test.conf b/testing/tests/multi-level-ca-strict/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/multi-level-ca-strict/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/multi-level-ca/description.txt b/testing/tests/multi-level-ca/description.txt
new file mode 100644
index 000000000..64825cb30
--- /dev/null
+++ b/testing/tests/multi-level-ca/description.txt
@@ -0,0 +1,7 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
diff --git a/testing/tests/multi-level-ca/evaltest.dat b/testing/tests/multi-level-ca/evaltest.dat
new file mode 100644
index 000000000..72f620b8e
--- /dev/null
+++ b/testing/tests/multi-level-ca/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
+moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
+dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
+moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e851a82f0
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..458a4ca5e
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e60bbc016
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
+	
diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/multi-level-ca/posttest.dat b/testing/tests/multi-level-ca/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/multi-level-ca/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/multi-level-ca/pretest.dat b/testing/tests/multi-level-ca/pretest.dat
new file mode 100644
index 000000000..67c50c2ef
--- /dev/null
+++ b/testing/tests/multi-level-ca/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/multi-level-ca/test.conf b/testing/tests/multi-level-ca/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/multi-level-ca/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/nat-one-rw/description.txt b/testing/tests/nat-one-rw/description.txt
new file mode 100644
index 000000000..c3b9bb820
--- /dev/null
+++ b/testing/tests/nat-one-rw/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
+gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
+client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/nat-one-rw/evaltest.dat b/testing/tests/nat-one-rw/evaltest.dat
new file mode 100644
index 000000000..bc193963d
--- /dev/null
+++ b/testing/tests/nat-one-rw/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/nat-one-rw/posttest.dat b/testing/tests/nat-one-rw/posttest.dat
new file mode 100644
index 000000000..af8e00575
--- /dev/null
+++ b/testing/tests/nat-one-rw/posttest.dat
@@ -0,0 +1,8 @@
+alice::iptables -v -n -L
+sun::iptables -v -n -L
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+
diff --git a/testing/tests/nat-one-rw/pretest.dat b/testing/tests/nat-one-rw/pretest.dat
new file mode 100644
index 000000000..9dacc672c
--- /dev/null
+++ b/testing/tests/nat-one-rw/pretest.dat
@@ -0,0 +1,10 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+sun::ipsec start
+alice::sleep 5
+alice::ipsec up nat-t
+
diff --git a/testing/tests/nat-one-rw/test.conf b/testing/tests/nat-one-rw/test.conf
new file mode 100644
index 000000000..d84149aaf
--- /dev/null
+++ b/testing/tests/nat-one-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/nat-two-rw/description.txt b/testing/tests/nat-two-rw/description.txt
new file mode 100644
index 000000000..dcf4b94bd
--- /dev/null
+++ b/testing/tests/nat-two-rw/description.txt
@@ -0,0 +1,5 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/nat-two-rw/evaltest.dat b/testing/tests/nat-two-rw/evaltest.dat
new file mode 100644
index 000000000..b1a7d59ee
--- /dev/null
+++ b/testing/tests/nat-two-rw/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::nat-t.*alice@strongswan.org::YES
+sun::ipsec status::nat-t.*@venus.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/nat-two-rw/posttest.dat b/testing/tests/nat-two-rw/posttest.dat
new file mode 100644
index 000000000..f019842ed
--- /dev/null
+++ b/testing/tests/nat-two-rw/posttest.dat
@@ -0,0 +1,11 @@
+alice::iptables -v -n -L
+venus::iptables -v -n -L
+sun::iptables -v -n -L
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+
diff --git a/testing/tests/nat-two-rw/pretest.dat b/testing/tests/nat-two-rw/pretest.dat
new file mode 100644
index 000000000..dd5259936
--- /dev/null
+++ b/testing/tests/nat-two-rw/pretest.dat
@@ -0,0 +1,13 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 5 
+alice::ipsec up nat-t
+venus::sleep 5 
+venus::ipsec up nat-t
diff --git a/testing/tests/nat-two-rw/test.conf b/testing/tests/nat-two-rw/test.conf
new file mode 100644
index 000000000..84317fd70
--- /dev/null
+++ b/testing/tests/nat-two-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/net2net-cert/description.txt b/testing/tests/net2net-cert/description.txt
new file mode 100644
index 000000000..7eea9192f
--- /dev/null
+++ b/testing/tests/net2net-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/net2net-cert/evaltest.dat b/testing/tests/net2net-cert/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/net2net-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/net2net-cert/posttest.dat b/testing/tests/net2net-cert/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/net2net-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-cert/pretest.dat b/testing/tests/net2net-cert/pretest.dat
new file mode 100644
index 000000000..9f60760c6
--- /dev/null
+++ b/testing/tests/net2net-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/net2net-cert/test.conf b/testing/tests/net2net-cert/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/net2net-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/net2net-pgp/description.txt b/testing/tests/net2net-pgp/description.txt
new file mode 100644
index 000000000..c85f2e5d0
--- /dev/null
+++ b/testing/tests/net2net-pgp/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/net2net-pgp/evaltest.dat b/testing/tests/net2net-pgp/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/net2net-pgp/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e7de6cf0b
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	nocrsend=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.asc
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightcert=sunCert.asc
+	auto=add
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
new file mode 100644
index 000000000..6524773e0
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID    Date       User ID
+sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
+JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
+FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
+7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
+0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
+8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
+QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
+biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
+=YFQm
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..afb1ff927
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..5dd8a8587
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	nocrsend=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.asc
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=moonCert.asc
+	auto=add
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
new file mode 100644
index 000000000..de2393649
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID    Date       User ID
+sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
+Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
+GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
+vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
+LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
+2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
+xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
+IDxzdW4uc3Ryb25nc3dhbi5vcmc+
+=DwEu
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..ee98b1611
--- /dev/null
+++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/net2net-pgp/posttest.dat b/testing/tests/net2net-pgp/posttest.dat
new file mode 100644
index 000000000..80e765dfc
--- /dev/null
+++ b/testing/tests/net2net-pgp/posttest.dat
@@ -0,0 +1,10 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/net2net-pgp/pretest.dat b/testing/tests/net2net-pgp/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/net2net-pgp/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/net2net-pgp/test.conf b/testing/tests/net2net-pgp/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/net2net-pgp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/net2net-psk-fail/description.txt b/testing/tests/net2net-psk-fail/description.txt
new file mode 100644
index 000000000..5a794bd17
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/description.txt
@@ -0,0 +1,7 @@
+An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and 
+<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b>
+(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not
+match, so that the responder cannot decrypt ISAKMP message MI3. The resulting
+encrypted notification message cannot in turn be read by the initiator
+<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of
+PAYLOAD_MALFORMED messages is suppressed.
diff --git a/testing/tests/net2net-psk-fail/evaltest.dat b/testing/tests/net2net-psk-fail/evaltest.dat
new file mode 100644
index 000000000..7f7cb9726
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::malformed payload in packet::YES
+sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES
+sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES
+moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO
+sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO
+
diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..87396e455
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..be95c4d99
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..7e102b25c
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..b53577e1d
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil
+
+
+
+
diff --git a/testing/tests/net2net-psk-fail/posttest.dat b/testing/tests/net2net-psk-fail/posttest.dat
new file mode 100644
index 000000000..dff181797
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/net2net-psk-fail/pretest.dat b/testing/tests/net2net-psk-fail/pretest.dat
new file mode 100644
index 000000000..aa8e332e0
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/pretest.dat
@@ -0,0 +1,6 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/net2net-psk-fail/test.conf b/testing/tests/net2net-psk-fail/test.conf
new file mode 100644
index 000000000..f6e064e7d
--- /dev/null
+++ b/testing/tests/net2net-psk-fail/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/net2net-psk/description.txt b/testing/tests/net2net-psk/description.txt
new file mode 100644
index 000000000..02cddbb83
--- /dev/null
+++ b/testing/tests/net2net-psk/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/net2net-psk/evaltest.dat b/testing/tests/net2net-psk/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/net2net-psk/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..51c53a505
--- /dev/null
+++ b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..be95c4d99
--- /dev/null
+++ b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9c3695178
--- /dev/null
+++ b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..be95c4d99
--- /dev/null
+++ b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/net2net-psk/posttest.dat b/testing/tests/net2net-psk/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/net2net-psk/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-psk/pretest.dat b/testing/tests/net2net-psk/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/net2net-psk/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/net2net-psk/test.conf b/testing/tests/net2net-psk/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/net2net-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/net2net-route/description.txt b/testing/tests/net2net-route/description.txt
new file mode 100644
index 000000000..323f09555
--- /dev/null
+++ b/testing/tests/net2net-route/description.txt
@@ -0,0 +1,9 @@
+A tunnel that will connect the subnets behind the gateways <b>moon</b>
+and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
+on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
+A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
+<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
+leads to the automatic establishment of the subnet-to-subnet tunnel.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/net2net-route/evaltest.dat b/testing/tests/net2net-route/evaltest.dat
new file mode 100644
index 000000000..38d589e5a
--- /dev/null
+++ b/testing/tests/net2net-route/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..4063ae05f
--- /dev/null
+++ b/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=route
diff --git a/testing/tests/net2net-route/posttest.dat b/testing/tests/net2net-route/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/net2net-route/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-route/pretest.dat b/testing/tests/net2net-route/pretest.dat
new file mode 100644
index 000000000..2eef7de19
--- /dev/null
+++ b/testing/tests/net2net-route/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+alice::ping -c 10 PH_IP_BOB
diff --git a/testing/tests/net2net-route/test.conf b/testing/tests/net2net-route/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/net2net-route/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/net2net-rsa/description.txt b/testing/tests/net2net-rsa/description.txt
new file mode 100644
index 000000000..a23fae8c3
--- /dev/null
+++ b/testing/tests/net2net-rsa/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>raw RSA keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/net2net-rsa/evaltest.dat b/testing/tests/net2net-rsa/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/net2net-rsa/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..772762321
--- /dev/null
+++ b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	auto=add
diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..9859ae8ed
--- /dev/null
+++ b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,17 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA	{
+	# RSA 2048 bits   moon.strongswan.org   Wed Dec  8 21:41:27 2004
+	# for signatures only, UNSAFE FOR ENCRYPTION
+	#pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63
+	PublicExponent: 0x03
+	# everything after this point is secret
+	PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7
+	Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f
+	Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d
+	Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff
+	Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213
+	Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339
+	}
+# do not change the indenting of that "}"
diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9626ef168
--- /dev/null
+++ b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	auto=add
diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..bf976a8d3
--- /dev/null
+++ b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,17 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA	{
+	# RSA 2048 bits   sun.strongswan.org   Wed Dec  8 21:44:27 2004
+	# for signatures only, UNSAFE FOR ENCRYPTION
+	#pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253
+	PublicExponent: 0x03
+	# everything after this point is secret
+	PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db
+	Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb
+	Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839
+	Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47
+	Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b
+	Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a
+	}
+# do not change the indenting of that "}"
diff --git a/testing/tests/net2net-rsa/posttest.dat b/testing/tests/net2net-rsa/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/net2net-rsa/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-rsa/pretest.dat b/testing/tests/net2net-rsa/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/net2net-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/net2net-rsa/test.conf b/testing/tests/net2net-rsa/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/net2net-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/net2net-start/description.txt b/testing/tests/net2net-start/description.txt
new file mode 100644
index 000000000..f5320685e
--- /dev/null
+++ b/testing/tests/net2net-start/description.txt
@@ -0,0 +1,8 @@
+A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
+respectively, is automatically established by means of the setting
+<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
+behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
+gateway <b>sun</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/net2net-start/evaltest.dat b/testing/tests/net2net-start/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/net2net-start/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..677955bc1
--- /dev/null
+++ b/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=start
diff --git a/testing/tests/net2net-start/posttest.dat b/testing/tests/net2net-start/posttest.dat
new file mode 100644
index 000000000..52979508d
--- /dev/null
+++ b/testing/tests/net2net-start/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+sun::iptables -v -n -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-start/pretest.dat b/testing/tests/net2net-start/pretest.dat
new file mode 100644
index 000000000..ed8f39316
--- /dev/null
+++ b/testing/tests/net2net-start/pretest.dat
@@ -0,0 +1,5 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+alice::sleep 12
diff --git a/testing/tests/net2net-start/test.conf b/testing/tests/net2net-start/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/net2net-start/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/no-priv-key/description.txt b/testing/tests/no-priv-key/description.txt
new file mode 100644
index 000000000..21b8eccb1
--- /dev/null
+++ b/testing/tests/no-priv-key/description.txt
@@ -0,0 +1,4 @@
+This scenario tests whether the correct encrypted informational messages are
+generated by the initiator <b>carol</b> and subsequently decoded by the
+responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she
+doesn't have a private RSA key to sign her hash with.
diff --git a/testing/tests/no-priv-key/evaltest.dat b/testing/tests/no-priv-key/evaltest.dat
new file mode 100644
index 000000000..9bd85ba12
--- /dev/null
+++ b/testing/tests/no-priv-key/evaltest.dat
@@ -0,0 +1,4 @@
+carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES
+moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23b311aa6
--- /dev/null
+++ b/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# missing private RSA key
diff --git a/testing/tests/no-priv-key/posttest.dat b/testing/tests/no-priv-key/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/no-priv-key/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/no-priv-key/pretest.dat b/testing/tests/no-priv-key/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/no-priv-key/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/no-priv-key/test.conf b/testing/tests/no-priv-key/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/no-priv-key/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ocsp-revoked/description.txt b/testing/tests/ocsp-revoked/description.txt
new file mode 100644
index 000000000..cbdd1305a
--- /dev/null
+++ b/testing/tests/ocsp-revoked/description.txt
@@ -0,0 +1,7 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current revocation information is available, the Main Mode
+negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>.
+When the second Main Mode trial comes around the OCSP response will be available
+but because the certificate presented by carol has been revoked,
+the IKE negotatiation will fail..
diff --git a/testing/tests/ocsp-revoked/evaltest.dat b/testing/tests/ocsp-revoked/evaltest.dat
new file mode 100644
index 000000000..f5286cb61
--- /dev/null
+++ b/testing/tests/ocsp-revoked/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::certificate was revoked::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec listocsp:: revoked::YES
+moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
+carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..7d4384767
--- /dev/null
+++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolRevokedCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
new file mode 100644
index 000000000..8aefcc5a6
--- /dev/null
+++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..8e31be4cb
--- /dev/null
+++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolRevokedKey.pem
diff --git a/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7134b6ee9
--- /dev/null
+++ b/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,40 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ocsp-revoked/posttest.dat b/testing/tests/ocsp-revoked/posttest.dat
new file mode 100644
index 000000000..d883459e7
--- /dev/null
+++ b/testing/tests/ocsp-revoked/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+winnetou::killall openssl
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ocsp-revoked/pretest.dat b/testing/tests/ocsp-revoked/pretest.dat
new file mode 100644
index 000000000..d5516fd3b
--- /dev/null
+++ b/testing/tests/ocsp-revoked/pretest.dat
@@ -0,0 +1,5 @@
+winnetou::/etc/openssl/start-ocsp
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ocsp-revoked/test.conf b/testing/tests/ocsp-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ocsp-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ocsp-strict/description.txt b/testing/tests/ocsp-strict/description.txt
new file mode 100644
index 000000000..7cb983140
--- /dev/null
+++ b/testing/tests/ocsp-strict/description.txt
@@ -0,0 +1,6 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and no current revocation information is available, the Main Mode
+negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>.
+When the second Main Mode trial comes around, the OCSP response will be available
+and the IKE negotiation completes.
diff --git a/testing/tests/ocsp-strict/evaltest.dat b/testing/tests/ocsp-strict/evaltest.dat
new file mode 100644
index 000000000..66b27aaac
--- /dev/null
+++ b/testing/tests/ocsp-strict/evaltest.dat
@@ -0,0 +1,8 @@
+moon::cat /var/log/auth.log::X.509 certificate rejected::YES
+carol::cat /var/log/auth.log::X.509 certificate rejected::YES
+moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec listocsp:: good::YES
+carol::ipsec listocsp:: good::YES
diff --git a/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b34719401
--- /dev/null
+++ b/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7134b6ee9
--- /dev/null
+++ b/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,40 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ocsp-strict/posttest.dat b/testing/tests/ocsp-strict/posttest.dat
new file mode 100644
index 000000000..117f625f6
--- /dev/null
+++ b/testing/tests/ocsp-strict/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+winnetou::killall openssl
diff --git a/testing/tests/ocsp-strict/pretest.dat b/testing/tests/ocsp-strict/pretest.dat
new file mode 100644
index 000000000..d5516fd3b
--- /dev/null
+++ b/testing/tests/ocsp-strict/pretest.dat
@@ -0,0 +1,5 @@
+winnetou::/etc/openssl/start-ocsp
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ocsp-strict/test.conf b/testing/tests/ocsp-strict/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ocsp-strict/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/protoport-dual/description.txt b/testing/tests/protoport-dual/description.txt
new file mode 100644
index 000000000..7bed8b959
--- /dev/null
+++ b/testing/tests/protoport-dual/description.txt
@@ -0,0 +1,6 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. The established tunnels are tested
+by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
+then setting up an SSH session to the same client.
diff --git a/testing/tests/protoport-dual/evaltest.dat b/testing/tests/protoport-dual/evaltest.dat
new file mode 100644
index 000000000..625c8c54c
--- /dev/null
+++ b/testing/tests/protoport-dual/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9e05ecf61
--- /dev/null
+++ b/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+	
+conn home-icmp
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn home-ssh
+	leftprotoport=tcp
+	rightprotoport=tcp/ssh
diff --git a/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..84b9b0ba3
--- /dev/null
+++ b/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
+
+conn rw-icmp
+	lefthostaccess=yes
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn rw-ssh
+	leftprotoport=tcp/ssh
+	rightprotoport=tcp
diff --git a/testing/tests/protoport-dual/posttest.dat b/testing/tests/protoport-dual/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/protoport-dual/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-dual/pretest.dat b/testing/tests/protoport-dual/pretest.dat
new file mode 100644
index 000000000..d3d0061c3
--- /dev/null
+++ b/testing/tests/protoport-dual/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home-icmp
+carol::ipsec up home-ssh
diff --git a/testing/tests/protoport-dual/test.conf b/testing/tests/protoport-dual/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/protoport-dual/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/protoport-pass/description.txt b/testing/tests/protoport-pass/description.txt
new file mode 100644
index 000000000..63744fa47
--- /dev/null
+++ b/testing/tests/protoport-pass/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is
+restricted to the ICMP protocol. Upon the successful establishment of the
+IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based
+firewall rules that let pass the tunneled ICMP traffic. In order to test
+both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b> as well as the inner interface of the gateway.
+For the latter ping <b>lefthostaccess=yes</b> is required.
+<p>
+By default, the native IPsec stack of the Linux 2.6 kernel transmits
+protocols and ports not covered by any IPsec SA in the clear. Thus by
+selectively opening the firewalls, <b>carol</b> sets up an SSH session to
+<b>alice</b> that is not going through the tunnel.
diff --git a/testing/tests/protoport-pass/evaltest.dat b/testing/tests/protoport-pass/evaltest.dat
new file mode 100644
index 000000000..625c8c54c
--- /dev/null
+++ b/testing/tests/protoport-pass/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ade7308f6
--- /dev/null
+++ b/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home-icmp
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+        leftid=carol@strongswan.org
+	leftcert=carolCert.pem
+	leftprotoport=icmp
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightprotoport=icmp
+        rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fd67e2b4b
--- /dev/null
+++ b/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw-icmp
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftsubnet=10.1.0.0/16
+	leftprotoport=icmp
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=%any
+	rightprotoport=icmp
+	auto=add
diff --git a/testing/tests/protoport-pass/posttest.dat b/testing/tests/protoport-pass/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/protoport-pass/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-pass/pretest.dat b/testing/tests/protoport-pass/pretest.dat
new file mode 100644
index 000000000..13b4ad4a0
--- /dev/null
+++ b/testing/tests/protoport-pass/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT
+moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::iptables -I INPUT  -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT
+carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home-icmp
diff --git a/testing/tests/protoport-pass/test.conf b/testing/tests/protoport-pass/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/protoport-pass/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/protoport-route/description.txt b/testing/tests/protoport-route/description.txt
new file mode 100644
index 000000000..ec7ec69b0
--- /dev/null
+++ b/testing/tests/protoport-route/description.txt
@@ -0,0 +1,8 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. Using <b>add=route</b> %trap
+eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
+a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
+is triggered and the corresponding IPsec tunnel is set up. In the same
+way an ssh session to <b>alice</b> over the second IPsec SA is established.
diff --git a/testing/tests/protoport-route/evaltest.dat b/testing/tests/protoport-route/evaltest.dat
new file mode 100644
index 000000000..8f3eb208f
--- /dev/null
+++ b/testing/tests/protoport-route/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
+carol::ping -c 2 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq::YES
+carol::ssh PH_IP_ALICE hostname::alice::YES
+carol::cat /var/log/auth.log::initiate on demand::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..31c25c12f
--- /dev/null
+++ b/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=route
+	
+conn home-icmp
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn home-ssh
+	leftprotoport=tcp
+	rightprotoport=tcp/ssh
diff --git a/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..84b9b0ba3
--- /dev/null
+++ b/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
+
+conn rw-icmp
+	lefthostaccess=yes
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn rw-ssh
+	leftprotoport=tcp/ssh
+	rightprotoport=tcp
diff --git a/testing/tests/protoport-route/posttest.dat b/testing/tests/protoport-route/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/protoport-route/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-route/pretest.dat b/testing/tests/protoport-route/pretest.dat
new file mode 100644
index 000000000..f233ad48f
--- /dev/null
+++ b/testing/tests/protoport-route/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ssh PH_IP_ALICE hostname
diff --git a/testing/tests/protoport-route/test.conf b/testing/tests/protoport-route/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/protoport-route/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/req-pkcs10/description.txt b/testing/tests/req-pkcs10/description.txt
new file mode 100644
index 000000000..a958cb8e8
--- /dev/null
+++ b/testing/tests/req-pkcs10/description.txt
@@ -0,0 +1,11 @@
+Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a
+PKCS#1 RSA private key and a PKCS#10 certificate request using the 
+<b>ipsec scepclient</b> function. Because the UML testing environment
+does not offer enough entropy, the non-blocking /dev/urandom device is
+used in place of /dev/random for generating the random primes.
+<p>
+The certificate requests are copied to <b>winnetou</b> where a certification
+authority based on OpenSSL issues X.509 certificates by verifying and
+signing the PCKS#10 requests. The certificates are then copied back to
+the corresponding hosts and used to set up a road warrior connection
+initiated by <b>carol</b> 
diff --git a/testing/tests/req-pkcs10/evaltest.dat b/testing/tests/req-pkcs10/evaltest.dat
new file mode 100644
index 000000000..c7657801e
--- /dev/null
+++ b/testing/tests/req-pkcs10/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..58e2f1e5b
--- /dev/null
+++ b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=myCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..167d743df
--- /dev/null
+++ b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA myKey.der
diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf
new file mode 100644
index 000000000..6afd3fa11
--- /dev/null
+++ b/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf
@@ -0,0 +1,3 @@
+--debug-control
+--out pkcs1
+--out pkcs10
diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b9ec17dbc
--- /dev/null
+++ b/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.der
diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf
new file mode 100644
index 000000000..da8177348
--- /dev/null
+++ b/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf
@@ -0,0 +1,4 @@
+--debug-control
+--keylength 2064
+--out pkcs1=moonKey.der
+--out pkcs10=moonReq.der
diff --git a/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
new file mode 100644
index 000000000..9b48ee4cf
--- /dev/null
+++ b/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
@@ -0,0 +1,2 @@
+y
+y
diff --git a/testing/tests/req-pkcs10/posttest.dat b/testing/tests/req-pkcs10/posttest.dat
new file mode 100644
index 000000000..534e3af20
--- /dev/null
+++ b/testing/tests/req-pkcs10/posttest.dat
@@ -0,0 +1,13 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/reqs/*
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/reqs/*
+winnetou::rm /etc/openssl/carol*
+winnetou::rm /etc/openssl/moon*
diff --git a/testing/tests/req-pkcs10/pretest.dat b/testing/tests/req-pkcs10/pretest.dat
new file mode 100644
index 000000000..18b8b16e6
--- /dev/null
+++ b/testing/tests/req-pkcs10/pretest.dat
@@ -0,0 +1,22 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+carol::cat /etc/scepclient.conf
+carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf
+winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der
+winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem
+winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt
+winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
+moon::cat /etc/scepclient.conf
+moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
+winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/
+winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem
+winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt
+winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/req-pkcs10/test.conf b/testing/tests/req-pkcs10/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/req-pkcs10/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/rw-cert/description.txt b/testing/tests/rw-cert/description.txt
new file mode 100644
index 000000000..8df6b1c0d
--- /dev/null
+++ b/testing/tests/rw-cert/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/rw-cert/evaltest.dat b/testing/tests/rw-cert/evaltest.dat
new file mode 100644
index 000000000..c7657801e
--- /dev/null
+++ b/testing/tests/rw-cert/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/rw-cert/posttest.dat b/testing/tests/rw-cert/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-cert/pretest.dat b/testing/tests/rw-cert/pretest.dat
new file mode 100644
index 000000000..bd68efb0b
--- /dev/null
+++ b/testing/tests/rw-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+sleep 2
+carol::ipsec up home
diff --git a/testing/tests/rw-cert/test.conf b/testing/tests/rw-cert/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/rw-psk-fqdn-named/description.txt b/testing/tests/rw-psk-fqdn-named/description.txt
new file mode 100644
index 000000000..adfab2f4d
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/description.txt
@@ -0,0 +1,11 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
+based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). 
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
+<p>
+The significant difference between this scenario and the test
+<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a>
+is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway
+<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>.
+</p>
diff --git a/testing/tests/rw-psk-fqdn-named/evaltest.dat b/testing/tests/rw-psk-fqdn-named/evaltest.dat
new file mode 100644
index 000000000..c7657801e
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..da5e198a8
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn home
+	left=PH_IP_CAROL
+	leftid=@carol.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..db3884e57
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c32dfaf9b
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn rw-carol 
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightid=@carol.strongswan.org
+	auto=add
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..6281340ae
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-fqdn-named/posttest.dat b/testing/tests/rw-psk-fqdn-named/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-fqdn-named/pretest.dat b/testing/tests/rw-psk-fqdn-named/pretest.dat
new file mode 100644
index 000000000..dbf03f552
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/rw-psk-fqdn-named/test.conf b/testing/tests/rw-psk-fqdn-named/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn-named/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/rw-psk-fqdn/description.txt b/testing/tests/rw-psk-fqdn/description.txt
new file mode 100644
index 000000000..d6c79afb2
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
+based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). 
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/rw-psk-fqdn/evaltest.dat b/testing/tests/rw-psk-fqdn/evaltest.dat
new file mode 100644
index 000000000..c7657801e
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..da5e198a8
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn home
+	left=PH_IP_CAROL
+	leftid=@carol.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..db3884e57
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9a894806c
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..6281340ae
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-fqdn/posttest.dat b/testing/tests/rw-psk-fqdn/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-fqdn/pretest.dat b/testing/tests/rw-psk-fqdn/pretest.dat
new file mode 100644
index 000000000..dbf03f552
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/rw-psk-fqdn/test.conf b/testing/tests/rw-psk-fqdn/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/rw-psk-fqdn/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/rw-psk-ipv4/description.txt b/testing/tests/rw-psk-ipv4/description.txt
new file mode 100644
index 000000000..b3a0bc192
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
+based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR).
+<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/rw-psk-ipv4/evaltest.dat b/testing/tests/rw-psk-ipv4/evaltest.dat
new file mode 100644
index 000000000..c7657801e
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2c0227b7a
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..69313b289
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a75d4e222
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..a8e367950
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-ipv4/posttest.dat b/testing/tests/rw-psk-ipv4/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-ipv4/pretest.dat b/testing/tests/rw-psk-ipv4/pretest.dat
new file mode 100644
index 000000000..dbf03f552
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/rw-psk-ipv4/test.conf b/testing/tests/rw-psk-ipv4/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/rw-psk-ipv4/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/rw-psk-no-policy/description.txt b/testing/tests/rw-psk-no-policy/description.txt
new file mode 100644
index 000000000..0e359414f
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/description.txt
@@ -0,0 +1,3 @@
+The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
+<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based
+authentication only, the connection setup fails.
diff --git a/testing/tests/rw-psk-no-policy/evaltest.dat b/testing/tests/rw-psk-no-policy/evaltest.dat
new file mode 100644
index 000000000..a28377dbd
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::peer requests PSK authentication::YES
+moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES
+moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
+
diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..413eff762
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	
+conn home
+	authby=secret
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..1b721dc58
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ac63abdc9
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/rw-psk-no-policy/posttest.dat b/testing/tests/rw-psk-no-policy/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/rw-psk-no-policy/pretest.dat b/testing/tests/rw-psk-no-policy/pretest.dat
new file mode 100644
index 000000000..3a7804ddd
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/pretest.dat
@@ -0,0 +1,5 @@
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/rw-psk-no-policy/test.conf b/testing/tests/rw-psk-no-policy/test.conf
new file mode 100644
index 000000000..f622c18b7
--- /dev/null
+++ b/testing/tests/rw-psk-no-policy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/rw-psk-rsa-mixed/description.txt b/testing/tests/rw-psk-rsa-mixed/description.txt
new file mode 100644
index 000000000..b99a8e5b3
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/description.txt
@@ -0,0 +1,5 @@
+The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
+<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
+is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
+and automatically selects the correct roadwarrior connection definition based on policy
+information gained from pre-parsing the peers' ISAKMP proposal payload. 
diff --git a/testing/tests/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/rw-psk-rsa-mixed/evaltest.dat
new file mode 100644
index 000000000..9e1354121
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::peer requests PSK authentication::YES
+moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES
+moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES
+
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..69e13b538
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes128,serpent128,twofish128,3des
+	
+conn home
+	authby=secret
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..1b721dc58
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b23248b5b
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	
+conn rw-rsasig
+	authby=rsasig
+	leftcert=moonCert.pem
+	auto=add
+
+conn rw-psk
+	authby=secret
+	auto=add
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..fd33507a7
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+: RSA moonKey.pem
diff --git a/testing/tests/rw-psk-rsa-mixed/posttest.dat b/testing/tests/rw-psk-rsa-mixed/posttest.dat
new file mode 100644
index 000000000..ed530f6d9
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/rw-psk-rsa-mixed/pretest.dat b/testing/tests/rw-psk-rsa-mixed/pretest.dat
new file mode 100644
index 000000000..35797b589
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/pretest.dat
@@ -0,0 +1,7 @@
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/rw-psk-rsa-mixed/test.conf b/testing/tests/rw-psk-rsa-mixed/test.conf
new file mode 100644
index 000000000..699b88e88
--- /dev/null
+++ b/testing/tests/rw-psk-rsa-mixed/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol dave winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/rw-rsa-no-policy/description.txt b/testing/tests/rw-rsa-no-policy/description.txt
new file mode 100644
index 000000000..c3336b769
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/description.txt
@@ -0,0 +1,3 @@
+The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
+<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based
+authentication only, the connection setup fails.
diff --git a/testing/tests/rw-rsa-no-policy/evaltest.dat b/testing/tests/rw-rsa-no-policy/evaltest.dat
new file mode 100644
index 000000000..188b7bbb5
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES
+moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES
+moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
+
diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b9318c058
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw-psk
+	authby=secret
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e8c151f05
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/rw-rsa-no-policy/posttest.dat b/testing/tests/rw-rsa-no-policy/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/rw-rsa-no-policy/pretest.dat b/testing/tests/rw-rsa-no-policy/pretest.dat
new file mode 100644
index 000000000..0d2a0dd1f
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/pretest.dat
@@ -0,0 +1,5 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/rw-rsa-no-policy/test.conf b/testing/tests/rw-rsa-no-policy/test.conf
new file mode 100644
index 000000000..f622c18b7
--- /dev/null
+++ b/testing/tests/rw-rsa-no-policy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/self-signed/description.txt b/testing/tests/self-signed/description.txt
new file mode 100644
index 000000000..2d7bfc2bf
--- /dev/null
+++ b/testing/tests/self-signed/description.txt
@@ -0,0 +1,8 @@
+Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a
+PKCS#1 RSA private key and a self-signed X.509 certificate
+using the <b>ipsec scepclient</b> function. Because the UML testing
+environment does not offer enough entropy, the non-blocking /dev/urandom
+device is used in place of /dev/random for generating the random primes.
+<p>
+The self-signed certificates are then distributed to the peers via scp
+and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/self-signed/evaltest.dat b/testing/tests/self-signed/evaltest.dat
new file mode 100644
index 000000000..f190d7066
--- /dev/null
+++ b/testing/tests/self-signed/evaltest.dat
@@ -0,0 +1,7 @@
+carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
+moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/self-signed/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..fcf7a1754
--- /dev/null
+++ b/testing/tests/self-signed/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=0
+	strictcrlpolicy=no
+	nocrsend=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=selfCert.der
+	leftsendcert=never
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=peerCert.der
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..167d743df
--- /dev/null
+++ b/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA myKey.der
diff --git a/testing/tests/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/self-signed/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..13ad3063f
--- /dev/null
+++ b/testing/tests/self-signed/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/self-signed/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7d7f42b06
--- /dev/null
+++ b/testing/tests/self-signed/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=0
+	strictcrlpolicy=no
+	nocrsend=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn carol
+	left=192.168.0.1
+	leftnexthop=%direct
+	leftcert=moonCert.der
+	leftid=@moon.strongswan.org
+	leftsendcert=never
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightcert=carolCert.der
+	auto=add
+
diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b9ec17dbc
--- /dev/null
+++ b/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.der
diff --git a/testing/tests/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/self-signed/hosts/moon/etc/scepclient.conf
new file mode 100644
index 000000000..b84f3e131
--- /dev/null
+++ b/testing/tests/self-signed/hosts/moon/etc/scepclient.conf
@@ -0,0 +1,6 @@
+--debug-control
+--keylength 2032
+--days 1460
+--subjectAltName dns=moon.strongswan.org
+--out pkcs1=moonKey.der
+--out cert-self=moonCert.der 
diff --git a/testing/tests/self-signed/posttest.dat b/testing/tests/self-signed/posttest.dat
new file mode 100644
index 000000000..52b48b9ef
--- /dev/null
+++ b/testing/tests/self-signed/posttest.dat
@@ -0,0 +1,10 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/self-signed/pretest.dat b/testing/tests/self-signed/pretest.dat
new file mode 100644
index 000000000..a7cddf677
--- /dev/null
+++ b/testing/tests/self-signed/pretest.dat
@@ -0,0 +1,17 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec scepclient --out pkcs1 --out cert-self
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/scepclient.conf
+moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
+moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der
+moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/self-signed/test.conf b/testing/tests/self-signed/test.conf
new file mode 100644
index 000000000..0baa48d90
--- /dev/null
+++ b/testing/tests/self-signed/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/starter-also-loop/description.txt b/testing/tests/starter-also-loop/description.txt
new file mode 100644
index 000000000..7451f4e12
--- /dev/null
+++ b/testing/tests/starter-also-loop/description.txt
@@ -0,0 +1,4 @@
+This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
+uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
+the connections in a modular form. A closed also loop created by including
+<b>conn host-host</b> in <b>conn moon</b> is successfully detected.
diff --git a/testing/tests/starter-also-loop/evaltest.dat b/testing/tests/starter-also-loop/evaltest.dat
new file mode 100644
index 000000000..161772f8e
--- /dev/null
+++ b/testing/tests/starter-also-loop/evaltest.dat
@@ -0,0 +1,3 @@
+moon::cat /var/log/auth.log::detected also loop::YES
+moon::cat /var/log/auth.log::errors in config::YES
+
diff --git a/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e1d210253
--- /dev/null
+++ b/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,48 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn net-net
+	also=host-host
+	also=moon-net
+	also=sun-net
+        
+conn host-host
+	also=moon
+	also=sun
+	auto=add
+
+conn rw
+	right=%any
+	also=moon
+	also=moon-net
+	auto=add
+
+conn moon
+	left=192.168.0.1
+        leftnexthop=%direct
+        leftcert=moonCert.pem
+        leftid=@moon.strongswan.org
+        leftfirewall=yes
+	also=host-host
+
+conn moon-net
+	leftsubnet=10.1.0.0/16
+
+conn sun
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+
+conn sun-net
+	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/starter-also-loop/posttest.dat b/testing/tests/starter-also-loop/posttest.dat
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/starter-also-loop/posttest.dat
diff --git a/testing/tests/starter-also-loop/pretest.dat b/testing/tests/starter-also-loop/pretest.dat
new file mode 100644
index 000000000..aa46124dc
--- /dev/null
+++ b/testing/tests/starter-also-loop/pretest.dat
@@ -0,0 +1 @@
+moon::ipsec start --debug-all
diff --git a/testing/tests/starter-also-loop/test.conf b/testing/tests/starter-also-loop/test.conf
new file mode 100644
index 000000000..e7735308f
--- /dev/null
+++ b/testing/tests/starter-also-loop/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon"
diff --git a/testing/tests/starter-also/description.txt b/testing/tests/starter-also/description.txt
new file mode 100644
index 000000000..3d4ff7dbf
--- /dev/null
+++ b/testing/tests/starter-also/description.txt
@@ -0,0 +1,3 @@
+This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
+uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
+the connections in a modular form.
diff --git a/testing/tests/starter-also/evaltest.dat b/testing/tests/starter-also/evaltest.dat
new file mode 100644
index 000000000..c7657801e
--- /dev/null
+++ b/testing/tests/starter-also/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/starter-also/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..74d009cfa
--- /dev/null
+++ b/testing/tests/starter-also/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,47 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn net-net
+	also=host-host
+	also=moon-net
+	also=sun-net
+        
+conn host-host
+	also=moon
+	also=sun
+	auto=add
+
+conn rw
+	right=%any
+	also=moon
+	also=moon-net
+	auto=add
+
+conn moon
+	left=192.168.0.1
+        leftnexthop=%direct
+        leftcert=moonCert.pem
+        leftid=@moon.strongswan.org
+        leftfirewall=yes
+
+conn moon-net
+	leftsubnet=10.1.0.0/16
+
+conn sun
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+
+conn sun-net
+	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/starter-also/posttest.dat b/testing/tests/starter-also/posttest.dat
new file mode 100644
index 000000000..26848212b
--- /dev/null
+++ b/testing/tests/starter-also/posttest.dat
@@ -0,0 +1,6 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/starter-also/pretest.dat b/testing/tests/starter-also/pretest.dat
new file mode 100644
index 000000000..4f96e61df
--- /dev/null
+++ b/testing/tests/starter-also/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start --debug-all
+sleep 2
+carol::ipsec up home
diff --git a/testing/tests/starter-also/test.conf b/testing/tests/starter-also/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/starter-also/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/starter-includes/description.txt b/testing/tests/starter-includes/description.txt
new file mode 100644
index 000000000..6a05c0cca
--- /dev/null
+++ b/testing/tests/starter-includes/description.txt
@@ -0,0 +1,6 @@
+This test is based on the <a href="../mode-config">mode-config</a>
+scenario and demonstrates the multiple use of the <b>include</b>
+parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b>
+defines the config setup section and includes <b>/etc/ipsec.connections</b>
+which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b>
+thereby showing the use of wildcards in path definitions.
diff --git a/testing/tests/starter-includes/evaltest.dat b/testing/tests/starter-includes/evaltest.dat
new file mode 100644
index 000000000..be8ca6ef5
--- /dev/null
+++ b/testing/tests/starter-includes/evaltest.dat
@@ -0,0 +1,16 @@
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES
diff --git a/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..598997b45
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..da601389c
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..aa9116252
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,10 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+include /etc/ipsec.connections
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections
new file mode 100644
index 000000000..7cd938628
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections
@@ -0,0 +1,12 @@
+# /etc/ipsec.connections - connection definitions 
+
+conn %default
+        ikelifetime=60m
+        keylife=20m
+        rekeymargin=3m
+        keyingtries=1
+
+include /etc/ipsec.host
+
+include /etc/ipsec.peers/*
+
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/starter-includes/hosts/moon/etc/ipsec.host
new file mode 100755
index 000000000..e84e5cdc6
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.host
@@ -0,0 +1,11 @@
+# /etc/ipsec.host - my host configuration
+
+conn %default
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP1_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
new file mode 100644
index 000000000..9212a9e96
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
@@ -0,0 +1,8 @@
+# /etc/ipsec.peers/ipsec.carol - connection from carol 
+
+conn rw-carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP1_CAROL
+	auto=add
+
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
new file mode 100644
index 000000000..482d15a21
--- /dev/null
+++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
@@ -0,0 +1,8 @@
+# /etc/ipsec.peers/ipsec.dave - connection from dave
+
+conn rw-dave
+	right=%any
+	rightid=dave@strongswan.org
+	rightsourceip=PH_IP1_DAVE
+	auto=add
+
diff --git a/testing/tests/starter-includes/posttest.dat b/testing/tests/starter-includes/posttest.dat
new file mode 100644
index 000000000..121aa8aea
--- /dev/null
+++ b/testing/tests/starter-includes/posttest.dat
@@ -0,0 +1,13 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+dave::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP1_CAROL/32 dev eth0
+dave::ip addr del PH_IP1_DAVE/32 dev eth0
+moon::rm /etc/ipsec.connections /etc/ipsec.host
+moon::rm -r /etc/ipsec.peers
diff --git a/testing/tests/starter-includes/pretest.dat b/testing/tests/starter-includes/pretest.dat
new file mode 100644
index 000000000..0af79a6d2
--- /dev/null
+++ b/testing/tests/starter-includes/pretest.dat
@@ -0,0 +1,10 @@
+moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/*
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start --debug-all
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/starter-includes/test.conf b/testing/tests/starter-includes/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/starter-includes/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/virtual-ip-swapped/description.txt b/testing/tests/virtual-ip-swapped/description.txt
new file mode 100644
index 000000000..230906c5d
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/description.txt
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/virtual-ip-swapped/evaltest.dat b/testing/tests/virtual-ip-swapped/evaltest.dat
new file mode 100644
index 000000000..5160a340f
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
diff --git a/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0e239b707
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	right=PH_IP_CAROL
+	rightsourceip=PH_IP1_CAROL
+	rightnexthop=%direct
+	rightcert=carolCert.pem
+	rightid=carol@strongswan.org
+	rightfirewall=yes
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..db6effbac
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	right=PH_IP_MOON
+	rightsourceip=PH_IP1_MOON
+	rightnexthop=%direct
+	rightcert=moonCert.pem
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightfirewall=yes
+	leftsubnetwithin=10.3.0.0/16
+	left=%any
+	auto=add
diff --git a/testing/tests/virtual-ip-swapped/posttest.dat b/testing/tests/virtual-ip-swapped/posttest.dat
new file mode 100644
index 000000000..ac5c7dd82
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/posttest.dat
@@ -0,0 +1,7 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP1_CAROL/32 dev eth0
diff --git a/testing/tests/virtual-ip-swapped/pretest.dat b/testing/tests/virtual-ip-swapped/pretest.dat
new file mode 100644
index 000000000..4fe0ee90b
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/virtual-ip-swapped/test.conf b/testing/tests/virtual-ip-swapped/test.conf
new file mode 100644
index 000000000..f106524e2
--- /dev/null
+++ b/testing/tests/virtual-ip-swapped/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/virtual-ip/description.txt b/testing/tests/virtual-ip/description.txt
new file mode 100644
index 000000000..4ec6021ea
--- /dev/null
+++ b/testing/tests/virtual-ip/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b>
+and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b>
+behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP
+of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b>
+the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec
+tunnel.
diff --git a/testing/tests/virtual-ip/evaltest.dat b/testing/tests/virtual-ip/evaltest.dat
new file mode 100644
index 000000000..5160a340f
--- /dev/null
+++ b/testing/tests/virtual-ip/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES
diff --git a/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2f1170a6b
--- /dev/null
+++ b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=PH_IP1_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..1cd8aab25
--- /dev/null
+++ b/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftsourceip=PH_IP1_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	rightsubnetwithin=10.3.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/virtual-ip/posttest.dat b/testing/tests/virtual-ip/posttest.dat
new file mode 100644
index 000000000..ac5c7dd82
--- /dev/null
+++ b/testing/tests/virtual-ip/posttest.dat
@@ -0,0 +1,7 @@
+moon::iptables -v -n -L
+carol::iptables -v -n -L
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP1_CAROL/32 dev eth0
diff --git a/testing/tests/virtual-ip/pretest.dat b/testing/tests/virtual-ip/pretest.dat
new file mode 100644
index 000000000..4fe0ee90b
--- /dev/null
+++ b/testing/tests/virtual-ip/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/virtual-ip/test.conf b/testing/tests/virtual-ip/test.conf
new file mode 100644
index 000000000..f106524e2
--- /dev/null
+++ b/testing/tests/virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/wildcards/description.txt b/testing/tests/wildcards/description.txt
new file mode 100644
index 000000000..e485f7066
--- /dev/null
+++ b/testing/tests/wildcards/description.txt
@@ -0,0 +1,8 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of wildcard parameters that must match the subject
+<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to
+<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b>
+can only be reached with a DN containing OU=Accounting. The roadwarriors
+<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting',
+respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
+can reach <b>venus</b>.
diff --git a/testing/tests/wildcards/evaltest.dat b/testing/tests/wildcards/evaltest.dat
new file mode 100644
index 000000000..cbc94b75a
--- /dev/null
+++ b/testing/tests/wildcards/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/wildcards/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..de179c565
--- /dev/null
+++ b/testing/tests/wildcards/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/wildcards/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..2fb6a301e
--- /dev/null
+++ b/testing/tests/wildcards/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
+
+
+
+
+
diff --git a/testing/tests/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/wildcards/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ee7bc8115
--- /dev/null
+++ b/testing/tests/wildcards/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
+	auto=add
+	
diff --git a/testing/tests/wildcards/posttest.dat b/testing/tests/wildcards/posttest.dat
new file mode 100644
index 000000000..ed530f6d9
--- /dev/null
+++ b/testing/tests/wildcards/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/wildcards/pretest.dat b/testing/tests/wildcards/pretest.dat
new file mode 100644
index 000000000..67c50c2ef
--- /dev/null
+++ b/testing/tests/wildcards/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/wildcards/test.conf b/testing/tests/wildcards/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/wildcards/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/wlan/description.txt b/testing/tests/wlan/description.txt
new file mode 100644
index 000000000..e018148bd
--- /dev/null
+++ b/testing/tests/wlan/description.txt
@@ -0,0 +1,15 @@
+The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic
+by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is
+<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network
+is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from
+<b>alice</b> to <b>venus</b> tunneled  via <b>moon</b> and to both the internal
+and external interface of gateway <b>moon</b>. Access to the gateway is
+set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>.
+At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router.
+<p>
+The host system controls the UML instances <b>alice</b> and <b>carol</b> via
+ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up 
+the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel
+to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted
+to the ssh port is statically set up by <b>conn system</b>.
+
diff --git a/testing/tests/wlan/evaltest.dat b/testing/tests/wlan/evaltest.dat
new file mode 100644
index 000000000..ccf5d0c8a
--- /dev/null
+++ b/testing/tests/wlan/evaltest.dat
@@ -0,0 +1,11 @@
+alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+alice::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::tcpdump::ESP::YES
+sun::tcpdump::icmp::YES
diff --git a/testing/tests/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/wlan/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..86a76e2db
--- /dev/null
+++ b/testing/tests/wlan/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow esp
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/wlan/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..a658e4fe8
--- /dev/null
+++ b/testing/tests/wlan/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn system
+	left=PH_IP_ALICE
+	leftprotoport=tcp/ssh
+	leftnexthop=%direct
+	authby=never
+	type=passthrough
+	right=10.1.0.254
+	rightprotoport=tcp
+	auto=route
+
+conn wlan 
+	left=PH_IP_ALICE
+	leftnexthop=%direct
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP1_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
+
diff --git a/testing/tests/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/wlan/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..e95ef44c6
--- /dev/null
+++ b/testing/tests/wlan/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,82 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+        # allow crl fetch from winnetou
+	iptables -A INPUT   -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT  -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# enable SNAT
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp  -j SNAT --to-source PH_IP_MOON:2000-2100
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/wlan/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f873479e8
--- /dev/null
+++ b/testing/tests/wlan/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn alice
+	right=PH_IP_ALICE
+	rightid=alice@strongswan.org
+	also=wlan
+	auto=add
+
+conn venus
+	right=PH_IP_VENUS
+	rightid=@venus.strongswan.org
+	also=wlan
+	auto=add
+
+conn wlan
+        left=PH_IP1_MOON
+	leftnexthop=%direct
+	leftsubnet=0.0.0.0/0
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+
diff --git a/testing/tests/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/wlan/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..6f95e7576
--- /dev/null
+++ b/testing/tests/wlan/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+				
+				# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/wlan/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..742c1dbce
--- /dev/null
+++ b/testing/tests/wlan/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn system
+	left=PH_IP_VENUS
+	leftprotoport=tcp/ssh
+	leftnexthop=%direct
+	authby=never
+	type=passthrough
+	right=10.1.0.254
+	rightprotoport=tcp
+	auto=route
+
+conn wlan 
+	left=PH_IP_VENUS
+	leftnexthop=%direct
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP1_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
+
diff --git a/testing/tests/wlan/posttest.dat b/testing/tests/wlan/posttest.dat
new file mode 100644
index 000000000..cc873d1ff
--- /dev/null
+++ b/testing/tests/wlan/posttest.dat
@@ -0,0 +1,10 @@
+alice::iptables -v -n -L
+venus::iptables -v -n -L
+moon::iptables -t nat -v -n -L POSTROUTING
+moon::iptables -v -n -L
+moon::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/wlan/pretest.dat b/testing/tests/wlan/pretest.dat
new file mode 100644
index 000000000..de4a6ad31
--- /dev/null
+++ b/testing/tests/wlan/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+alice::ipsec start
+venus::ipsec start
+alice::sleep 2 
+alice::ipsec up wlan 
+venus::sleep 2 
+venus::ipsec up wlan
+venus::sleep 2
diff --git a/testing/tests/wlan/test.conf b/testing/tests/wlan/test.conf
new file mode 100644
index 000000000..b141c4f1b
--- /dev/null
+++ b/testing/tests/wlan/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon:eth1 sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus moon"