1a57d7795SbluhmSend IPsec traffic to another machine where it gets processed. 2a57d7795SbluhmThere the IPsec implementation has to deliver it to the local stack 3a57d7795Sbluhmor forward it after decryption. By reflecting the packets, the way 4a57d7795Sbluhmback is also tested. When the response is received at the generating 5a57d7795Sbluhmmachine, the test is considered successful. 6a57d7795Sbluhm 7*13228817SbluhmCurrently ICMP ping, UDP, TCP packets are protected with ESP and 8*13228817SbluhmAH. Also IPIP encapsulation and IP compression flows are tested. 947e34d94SbluhmTransport and tunnel mode are tested with all combinations of IPv4 10*13228817Sbluhmand IPv6. SA bundles that do IPComp, ESP, AH with a single flow 11*13228817Sbluhmare tested with all combinations of encapsulation mode, and both 12*13228817Sbluhmip versions, and the ip protocols ping, UDP, TCP. Small and big 13*13228817Sbluhmping packets are used, as IPComp skips small packets. 14a57d7795Sbluhm 15*13228817SbluhmThe netstat -s counters are checked to ensure that encrypted packets 16*13228817Sbluhmare processed in both ways. 17*13228817Sbluhm 18*13228817SbluhmThe BPF output of the enc0 and pflog0 interface is checked. This 19*13228817Sbluhmensures that all IPsec packets are passed to bpf and pf. 20e7650b58Sbluhm 2147e34d94SbluhmTODO: 22e7650b58SbluhmTests for fragments and path MTU discovery are planned. 23e7650b58SbluhmTest TCP MD5 signatures. 24*13228817SbluhmTest NAT-Traversal over UDP. 25