summaryrefslogtreecommitdiff
path: root/regress/sbin
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2012-09-15 13:18:35 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2012-09-15 13:18:35 +0000
commite47a66e2bd248d3e09c0500c246ff82235b44ee4 (patch)
treef180aa98090f027d869a547d60db1324ae135066 /regress/sbin
parent288ff53fc888c3ad61a2f046a3124b06cc61b2ab (diff)
sync with recent ipsecctl changes/fixes
Diffstat (limited to 'regress/sbin')
-rw-r--r--regress/sbin/ipsecctl/ike1.ok19
-rw-r--r--regress/sbin/ipsecctl/ike10.ok19
-rw-r--r--regress/sbin/ipsecctl/ike11.ok38
-rw-r--r--regress/sbin/ipsecctl/ike12.ok57
-rw-r--r--regress/sbin/ipsecctl/ike13.ok57
-rw-r--r--regress/sbin/ipsecctl/ike14.ok171
-rw-r--r--regress/sbin/ipsecctl/ike15.ok19
-rw-r--r--regress/sbin/ipsecctl/ike16.ok36
-rw-r--r--regress/sbin/ipsecctl/ike17.ok38
-rw-r--r--regress/sbin/ipsecctl/ike18.ok38
-rw-r--r--regress/sbin/ipsecctl/ike19.ok19
-rw-r--r--regress/sbin/ipsecctl/ike2.ok19
-rw-r--r--regress/sbin/ipsecctl/ike20.ok38
-rw-r--r--regress/sbin/ipsecctl/ike21.ok19
-rw-r--r--regress/sbin/ipsecctl/ike22.ok19
-rw-r--r--regress/sbin/ipsecctl/ike23.ok19
-rw-r--r--regress/sbin/ipsecctl/ike29.ok19
-rw-r--r--regress/sbin/ipsecctl/ike3.ok19
-rw-r--r--regress/sbin/ipsecctl/ike30.ok19
-rw-r--r--regress/sbin/ipsecctl/ike31.ok19
-rw-r--r--regress/sbin/ipsecctl/ike32.ok22
-rw-r--r--regress/sbin/ipsecctl/ike33.ok22
-rw-r--r--regress/sbin/ipsecctl/ike34.ok19
-rw-r--r--regress/sbin/ipsecctl/ike35.ok19
-rw-r--r--regress/sbin/ipsecctl/ike36.ok19
-rw-r--r--regress/sbin/ipsecctl/ike37.ok19
-rw-r--r--regress/sbin/ipsecctl/ike38.ok36
-rw-r--r--regress/sbin/ipsecctl/ike39.ok38
-rw-r--r--regress/sbin/ipsecctl/ike4.ok19
-rw-r--r--regress/sbin/ipsecctl/ike40.ok38
-rw-r--r--regress/sbin/ipsecctl/ike41.ok25
-rw-r--r--regress/sbin/ipsecctl/ike42.ok19
-rw-r--r--regress/sbin/ipsecctl/ike43.ok19
-rw-r--r--regress/sbin/ipsecctl/ike46.ok38
-rw-r--r--regress/sbin/ipsecctl/ike47.ok38
-rw-r--r--regress/sbin/ipsecctl/ike48.ok38
-rw-r--r--regress/sbin/ipsecctl/ike49.ok19
-rw-r--r--regress/sbin/ipsecctl/ike5.ok36
-rw-r--r--regress/sbin/ipsecctl/ike50.ok19
-rw-r--r--regress/sbin/ipsecctl/ike51.ok19
-rw-r--r--regress/sbin/ipsecctl/ike52.ok19
-rw-r--r--regress/sbin/ipsecctl/ike53.ok18
-rw-r--r--regress/sbin/ipsecctl/ike54.ok18
-rw-r--r--regress/sbin/ipsecctl/ike55.ok18
-rw-r--r--regress/sbin/ipsecctl/ike56.ok19
-rw-r--r--regress/sbin/ipsecctl/ike57.ok57
-rw-r--r--regress/sbin/ipsecctl/ike58.ok57
-rw-r--r--regress/sbin/ipsecctl/ike59.ok19
-rw-r--r--regress/sbin/ipsecctl/ike6.ok38
-rw-r--r--regress/sbin/ipsecctl/ike60.ok57
-rw-r--r--regress/sbin/ipsecctl/ike61.ok190
-rw-r--r--regress/sbin/ipsecctl/ike62.ok57
-rw-r--r--regress/sbin/ipsecctl/ike63.ok19
-rw-r--r--regress/sbin/ipsecctl/ike64.ok19
-rw-r--r--regress/sbin/ipsecctl/ike65.ok19
-rw-r--r--regress/sbin/ipsecctl/ike66.ok19
-rw-r--r--regress/sbin/ipsecctl/ike67.ok19
-rw-r--r--regress/sbin/ipsecctl/ike68.ok19
-rw-r--r--regress/sbin/ipsecctl/ike7.ok38
-rw-r--r--regress/sbin/ipsecctl/ike8.ok19
-rw-r--r--regress/sbin/ipsecctl/ike9.ok19
-rw-r--r--regress/sbin/ipsecctl/ikefail14.ok76
-rw-r--r--regress/sbin/ipsecctl/ikefail6.ok12
63 files changed, 1845 insertions, 222 deletions
diff --git a/regress/sbin/ipsecctl/ike1.ok b/regress/sbin/ipsecctl/ike1.ok
index 8a94ed9e94f..5327beb6b08 100644
--- a/regress/sbin/ipsecctl/ike1.ok
+++ b/regress/sbin/ipsecctl/ike1.ok
@@ -3,14 +3,29 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-131.188.33.51-to-131.188.33.29]:Phase=2 force
C set [from-131.188.33.51-to-131.188.33.29]:ISAKMP-peer=peer-131.188.33.29 force
C set [from-131.188.33.51-to-131.188.33.29]:Configuration=phase2-from-131.188.33.51-to-131.188.33.29 force
C set [from-131.188.33.51-to-131.188.33.29]:Local-ID=from-131.188.33.51 force
C set [from-131.188.33.51-to-131.188.33.29]:Remote-ID=to-131.188.33.29 force
C set [phase2-from-131.188.33.51-to-131.188.33.29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=phase2-suite-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-suite-from-131.188.33.51-to-131.188.33.29]:Protocols=phase2-protocol-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:Transforms=phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-131.188.33.51]:ID-type=IPV4_ADDR force
C set [from-131.188.33.51]:Address=131.188.33.51 force
C set [to-131.188.33.29]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike10.ok b/regress/sbin/ipsecctl/ike10.ok
index be106fe1f99..a560e3a97c8 100644
--- a/regress/sbin/ipsecctl/ike10.ok
+++ b/regress/sbin/ipsecctl/ike10.ok
@@ -3,14 +3,29 @@ C set [peer-192.168.200.1]:Phase=1 force
C set [peer-192.168.200.1]:Address=192.168.200.1 force
C set [peer-192.168.200.1]:Configuration=phase1-peer-192.168.200.1 force
C set [phase1-peer-192.168.200.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.200.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.200.1]:Transforms=phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.200.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-192.168.100.1=97-to-192.168.200.1=97]:Phase=2 force
C set [from-192.168.100.1=97-to-192.168.200.1=97]:ISAKMP-peer=peer-192.168.200.1 force
C set [from-192.168.100.1=97-to-192.168.200.1=97]:Configuration=phase2-from-192.168.100.1=97-to-192.168.200.1=97 force
C set [from-192.168.100.1=97-to-192.168.200.1=97]:Local-ID=from-192.168.100.1=97 force
C set [from-192.168.100.1=97-to-192.168.200.1=97]:Remote-ID=to-192.168.200.1=97 force
C set [phase2-from-192.168.100.1=97-to-192.168.200.1=97]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-192.168.100.1=97-to-192.168.200.1=97]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-192.168.100.1=97-to-192.168.200.1=97]:Suites=phase2-suite-from-192.168.100.1=97-to-192.168.200.1=97 force
+C set [phase2-suite-from-192.168.100.1=97-to-192.168.200.1=97]:Protocols=phase2-protocol-from-192.168.100.1=97-to-192.168.200.1=97 force
+C set [phase2-protocol-from-192.168.100.1=97-to-192.168.200.1=97]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-192.168.100.1=97-to-192.168.200.1=97]:Transforms=phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-192.168.100.1=97-to-192.168.200.1=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-192.168.100.1=97]:ID-type=IPV4_ADDR force
C set [from-192.168.100.1=97]:Address=192.168.100.1 force
C set [to-192.168.200.1=97]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike11.ok b/regress/sbin/ipsecctl/ike11.ok
index ff637adcfe1..cc33c77f4e0 100644
--- a/regress/sbin/ipsecctl/ike11.ok
+++ b/regress/sbin/ipsecctl/ike11.ok
@@ -4,14 +4,29 @@ C set [peer-192.168.3.1-local-192.168.3.2]:Address=192.168.3.1 force
C set [peer-192.168.3.1-local-192.168.3.2]:Local-address=192.168.3.2 force
C set [peer-192.168.3.1-local-192.168.3.2]:Configuration=phase1-peer-192.168.3.1-local-192.168.3.2 force
C set [phase1-peer-192.168.3.1-local-192.168.3.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-0.0.0.0/0]:Phase=2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1-local-192.168.3.2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Configuration=phase2-from-1.1.1.1-to-0.0.0.0/0 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=phase2-suite-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-1.1.1.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
@@ -24,14 +39,29 @@ C set [peer-192.168.3.1-local-192.168.3.2]:Address=192.168.3.1 force
C set [peer-192.168.3.1-local-192.168.3.2]:Local-address=192.168.3.2 force
C set [peer-192.168.3.1-local-192.168.3.2]:Configuration=phase1-peer-192.168.3.1-local-192.168.3.2 force
C set [phase1-peer-192.168.3.1-local-192.168.3.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-0.0.0.0/0]:Phase=2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1-local-192.168.3.2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Configuration=phase2-from-1.1.1.1-to-0.0.0.0/0 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=phase2-suite-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-1.1.1.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike12.ok b/regress/sbin/ipsecctl/ike12.ok
index 2d00da756cf..1dc863e0829 100644
--- a/regress/sbin/ipsecctl/ike12.ok
+++ b/regress/sbin/ipsecctl/ike12.ok
@@ -4,14 +4,29 @@ C set [peer-5.5.5.5]:Phase=1 force
C set [peer-5.5.5.5]:Address=5.5.5.5 force
C set [peer-5.5.5.5]:Configuration=phase1-peer-5.5.5.5 force
C set [phase1-peer-5.5.5.5]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-5.5.5.5]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-5.5.5.5]:Transforms=phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.0/24]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.0/24]:ISAKMP-peer=peer-5.5.5.5 force
C set [from-1.1.1.1-to-2.2.2.0/24]:Configuration=phase2-from-1.1.1.1-to-2.2.2.0/24 force
C set [from-1.1.1.1-to-2.2.2.0/24]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.0/24]:Remote-ID=to-2.2.2.0/24 force
C set [phase2-from-1.1.1.1-to-2.2.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.0/24]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.0/24 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.0/24]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.0/24 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.0/24]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
@@ -23,14 +38,29 @@ C set [peer-5.5.5.5]:Phase=1 force
C set [peer-5.5.5.5]:Address=5.5.5.5 force
C set [peer-5.5.5.5]:Configuration=phase1-peer-5.5.5.5 force
C set [phase1-peer-5.5.5.5]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-5.5.5.5]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-5.5.5.5]:Transforms=phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-3.3.3.0/24]:Phase=2 force
C set [from-1.1.1.1-to-3.3.3.0/24]:ISAKMP-peer=peer-5.5.5.5 force
C set [from-1.1.1.1-to-3.3.3.0/24]:Configuration=phase2-from-1.1.1.1-to-3.3.3.0/24 force
C set [from-1.1.1.1-to-3.3.3.0/24]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-3.3.3.0/24]:Remote-ID=to-3.3.3.0/24 force
C set [phase2-from-1.1.1.1-to-3.3.3.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-3.3.3.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-3.3.3.0/24]:Suites=phase2-suite-from-1.1.1.1-to-3.3.3.0/24 force
+C set [phase2-suite-from-1.1.1.1-to-3.3.3.0/24]:Protocols=phase2-protocol-from-1.1.1.1-to-3.3.3.0/24 force
+C set [phase2-protocol-from-1.1.1.1-to-3.3.3.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-3.3.3.0/24]:Transforms=phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-3.3.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
@@ -42,14 +72,29 @@ C set [peer-5.5.5.5]:Phase=1 force
C set [peer-5.5.5.5]:Address=5.5.5.5 force
C set [peer-5.5.5.5]:Configuration=phase1-peer-5.5.5.5 force
C set [phase1-peer-5.5.5.5]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-5.5.5.5]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-5.5.5.5]:Transforms=phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-5.5.5.5-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-4.4.4.0/24]:Phase=2 force
C set [from-1.1.1.1-to-4.4.4.0/24]:ISAKMP-peer=peer-5.5.5.5 force
C set [from-1.1.1.1-to-4.4.4.0/24]:Configuration=phase2-from-1.1.1.1-to-4.4.4.0/24 force
C set [from-1.1.1.1-to-4.4.4.0/24]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-4.4.4.0/24]:Remote-ID=to-4.4.4.0/24 force
C set [phase2-from-1.1.1.1-to-4.4.4.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-4.4.4.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-4.4.4.0/24]:Suites=phase2-suite-from-1.1.1.1-to-4.4.4.0/24 force
+C set [phase2-suite-from-1.1.1.1-to-4.4.4.0/24]:Protocols=phase2-protocol-from-1.1.1.1-to-4.4.4.0/24 force
+C set [phase2-protocol-from-1.1.1.1-to-4.4.4.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-4.4.4.0/24]:Transforms=phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike13.ok b/regress/sbin/ipsecctl/ike13.ok
index 29d0cb1baea..3af68e7a7a9 100644
--- a/regress/sbin/ipsecctl/ike13.ok
+++ b/regress/sbin/ipsecctl/ike13.ok
@@ -4,14 +4,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-1.1.1.1]:Phase=2 force
C set [from-2.2.2.0/24-to-1.1.1.1]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-1.1.1.1]:Configuration=phase2-from-2.2.2.0/24-to-1.1.1.1 force
C set [from-2.2.2.0/24-to-1.1.1.1]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-1.1.1.1]:Remote-ID=to-1.1.1.1 force
C set [phase2-from-2.2.2.0/24-to-1.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-1.1.1.1]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-1.1.1.1]:Suites=phase2-suite-from-2.2.2.0/24-to-1.1.1.1 force
+C set [phase2-suite-from-2.2.2.0/24-to-1.1.1.1]:Protocols=phase2-protocol-from-2.2.2.0/24-to-1.1.1.1 force
+C set [phase2-protocol-from-2.2.2.0/24-to-1.1.1.1]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-1.1.1.1]:Transforms=phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -23,14 +38,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-1.1.1.1]:Phase=2 force
C set [from-3.3.3.0/24-to-1.1.1.1]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-1.1.1.1]:Configuration=phase2-from-3.3.3.0/24-to-1.1.1.1 force
C set [from-3.3.3.0/24-to-1.1.1.1]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-1.1.1.1]:Remote-ID=to-1.1.1.1 force
C set [phase2-from-3.3.3.0/24-to-1.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-1.1.1.1]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-1.1.1.1]:Suites=phase2-suite-from-3.3.3.0/24-to-1.1.1.1 force
+C set [phase2-suite-from-3.3.3.0/24-to-1.1.1.1]:Protocols=phase2-protocol-from-3.3.3.0/24-to-1.1.1.1 force
+C set [phase2-protocol-from-3.3.3.0/24-to-1.1.1.1]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-1.1.1.1]:Transforms=phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -42,14 +72,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-1.1.1.1]:Phase=2 force
C set [from-4.4.4.0/24-to-1.1.1.1]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-1.1.1.1]:Configuration=phase2-from-4.4.4.0/24-to-1.1.1.1 force
C set [from-4.4.4.0/24-to-1.1.1.1]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-1.1.1.1]:Remote-ID=to-1.1.1.1 force
C set [phase2-from-4.4.4.0/24-to-1.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-1.1.1.1]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-1.1.1.1]:Suites=phase2-suite-from-4.4.4.0/24-to-1.1.1.1 force
+C set [phase2-suite-from-4.4.4.0/24-to-1.1.1.1]:Protocols=phase2-protocol-from-4.4.4.0/24-to-1.1.1.1 force
+C set [phase2-protocol-from-4.4.4.0/24-to-1.1.1.1]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-1.1.1.1]:Transforms=phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-1.1.1.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike14.ok b/regress/sbin/ipsecctl/ike14.ok
index 40d894038ca..b3f3346aa45 100644
--- a/regress/sbin/ipsecctl/ike14.ok
+++ b/regress/sbin/ipsecctl/ike14.ok
@@ -5,14 +5,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Phase=2 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Configuration=phase2-from-2.2.2.0/24-to-5.5.5.0/24 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:Suites=phase2-suite-from-2.2.2.0/24-to-5.5.5.0/24 force
+C set [phase2-suite-from-2.2.2.0/24-to-5.5.5.0/24]:Protocols=phase2-protocol-from-2.2.2.0/24-to-5.5.5.0/24 force
+C set [phase2-protocol-from-2.2.2.0/24-to-5.5.5.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-5.5.5.0/24]:Transforms=phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -25,14 +40,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Phase=2 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Configuration=phase2-from-2.2.2.0/24-to-6.6.6.0/24 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:Suites=phase2-suite-from-2.2.2.0/24-to-6.6.6.0/24 force
+C set [phase2-suite-from-2.2.2.0/24-to-6.6.6.0/24]:Protocols=phase2-protocol-from-2.2.2.0/24-to-6.6.6.0/24 force
+C set [phase2-protocol-from-2.2.2.0/24-to-6.6.6.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-6.6.6.0/24]:Transforms=phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -45,14 +75,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Phase=2 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Configuration=phase2-from-2.2.2.0/24-to-7.7.7.0/24 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:Suites=phase2-suite-from-2.2.2.0/24-to-7.7.7.0/24 force
+C set [phase2-suite-from-2.2.2.0/24-to-7.7.7.0/24]:Protocols=phase2-protocol-from-2.2.2.0/24-to-7.7.7.0/24 force
+C set [phase2-protocol-from-2.2.2.0/24-to-7.7.7.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-7.7.7.0/24]:Transforms=phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -65,14 +110,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Phase=2 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Configuration=phase2-from-3.3.3.0/24-to-5.5.5.0/24 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-5.5.5.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-5.5.5.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-5.5.5.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-5.5.5.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-5.5.5.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -85,14 +145,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Phase=2 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Configuration=phase2-from-3.3.3.0/24-to-6.6.6.0/24 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-6.6.6.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-6.6.6.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-6.6.6.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-6.6.6.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-6.6.6.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -105,14 +180,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Phase=2 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Configuration=phase2-from-3.3.3.0/24-to-7.7.7.0/24 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-7.7.7.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-7.7.7.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-7.7.7.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-7.7.7.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-7.7.7.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -125,14 +215,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Phase=2 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Configuration=phase2-from-4.4.4.0/24-to-5.5.5.0/24 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:Suites=phase2-suite-from-4.4.4.0/24-to-5.5.5.0/24 force
+C set [phase2-suite-from-4.4.4.0/24-to-5.5.5.0/24]:Protocols=phase2-protocol-from-4.4.4.0/24-to-5.5.5.0/24 force
+C set [phase2-protocol-from-4.4.4.0/24-to-5.5.5.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-5.5.5.0/24]:Transforms=phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
@@ -145,14 +250,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Phase=2 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Configuration=phase2-from-4.4.4.0/24-to-6.6.6.0/24 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:Suites=phase2-suite-from-4.4.4.0/24-to-6.6.6.0/24 force
+C set [phase2-suite-from-4.4.4.0/24-to-6.6.6.0/24]:Protocols=phase2-protocol-from-4.4.4.0/24-to-6.6.6.0/24 force
+C set [phase2-protocol-from-4.4.4.0/24-to-6.6.6.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-6.6.6.0/24]:Transforms=phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
@@ -165,14 +285,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Phase=2 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Configuration=phase2-from-4.4.4.0/24-to-7.7.7.0/24 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:Suites=phase2-suite-from-4.4.4.0/24-to-7.7.7.0/24 force
+C set [phase2-suite-from-4.4.4.0/24-to-7.7.7.0/24]:Protocols=phase2-protocol-from-4.4.4.0/24-to-7.7.7.0/24 force
+C set [phase2-protocol-from-4.4.4.0/24-to-7.7.7.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-7.7.7.0/24]:Transforms=phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike15.ok b/regress/sbin/ipsecctl/ike15.ok
index db08bff6467..333f86d8c0e 100644
--- a/regress/sbin/ipsecctl/ike15.ok
+++ b/regress/sbin/ipsecctl/ike15.ok
@@ -3,7 +3,13 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::1]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +22,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike16.ok b/regress/sbin/ipsecctl/ike16.ok
index ff6deccc8fd..0f189162083 100644
--- a/regress/sbin/ipsecctl/ike16.ok
+++ b/regress/sbin/ipsecctl/ike16.ok
@@ -3,7 +3,12 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=3DES-SHA-GRP15-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:ENCRYPTION_ALGORITHM=3DES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +21,15 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-3DES-SHA-PFS-GRP15-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:TRANSFORM_ID=3DES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
@@ -29,7 +42,13 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -42,7 +61,16 @@ C set [from-3ffe::51-to-3ffe::29]:Configuration=phase2-from-3ffe::51-to-3ffe::29
C set [from-3ffe::51-to-3ffe::29]:Local-ID=from-3ffe::51 force
C set [from-3ffe::51-to-3ffe::29]:Remote-ID=to-3ffe::29 force
C set [phase2-from-3ffe::51-to-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=phase2-suite-from-3ffe::51-to-3ffe::29 force
+C set [phase2-suite-from-3ffe::51-to-3ffe::29]:Protocols=phase2-protocol-from-3ffe::51-to-3ffe::29 force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:Transforms=phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::51]:ID-type=IPV6_ADDR force
C set [from-3ffe::51]:Address=3ffe::51 force
C set [to-3ffe::29]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike17.ok b/regress/sbin/ipsecctl/ike17.ok
index 1c92080f890..a43456aa0ac 100644
--- a/regress/sbin/ipsecctl/ike17.ok
+++ b/regress/sbin/ipsecctl/ike17.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Phase=2 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::29 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to-10.1.2.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
@@ -23,14 +38,29 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::51-to-3ffe::29]:Phase=2 force
C set [from-3ffe::51-to-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
C set [from-3ffe::51-to-3ffe::29]:Configuration=phase2-from-3ffe::51-to-3ffe::29 force
C set [from-3ffe::51-to-3ffe::29]:Local-ID=from-3ffe::51 force
C set [from-3ffe::51-to-3ffe::29]:Remote-ID=to-3ffe::29 force
C set [phase2-from-3ffe::51-to-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=phase2-suite-from-3ffe::51-to-3ffe::29 force
+C set [phase2-suite-from-3ffe::51-to-3ffe::29]:Protocols=phase2-protocol-from-3ffe::51-to-3ffe::29 force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:Transforms=phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::51]:ID-type=IPV6_ADDR force
C set [from-3ffe::51]:Address=3ffe::51 force
C set [to-3ffe::29]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike18.ok b/regress/sbin/ipsecctl/ike18.ok
index f9cd33a4eda..0072cba47cc 100644
--- a/regress/sbin/ipsecctl/ike18.ok
+++ b/regress/sbin/ipsecctl/ike18.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::51]:Phase=1 force
C set [peer-3ffe::51]:Address=3ffe::51 force
C set [peer-3ffe::51]:Configuration=phase1-peer-3ffe::51 force
C set [phase1-peer-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::51]:Transforms=phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Phase=2 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:ISAKMP-peer=peer-3ffe::51 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Configuration=phase2-from-10.1.2.0/24-to-10.1.1.0/24 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Local-ID=from-10.1.2.0/24 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Remote-ID=to-10.1.1.0/24 force
C set [phase2-from-10.1.2.0/24-to-10.1.1.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.2.0/24-to-10.1.1.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.2.0/24-to-10.1.1.0/24]:Suites=phase2-suite-from-10.1.2.0/24-to-10.1.1.0/24 force
+C set [phase2-suite-from-10.1.2.0/24-to-10.1.1.0/24]:Protocols=phase2-protocol-from-10.1.2.0/24-to-10.1.1.0/24 force
+C set [phase2-protocol-from-10.1.2.0/24-to-10.1.1.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.2.0/24-to-10.1.1.0/24]:Transforms=phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.2.0/24]:Network=10.1.2.0 force
C set [from-10.1.2.0/24]:Netmask=255.255.255.0 force
@@ -23,14 +38,29 @@ C set [peer-3ffe::51]:Phase=1 force
C set [peer-3ffe::51]:Address=3ffe::51 force
C set [peer-3ffe::51]:Configuration=phase1-peer-3ffe::51 force
C set [phase1-peer-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::51]:Transforms=phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::29-to-3ffe::51]:Phase=2 force
C set [from-3ffe::29-to-3ffe::51]:ISAKMP-peer=peer-3ffe::51 force
C set [from-3ffe::29-to-3ffe::51]:Configuration=phase2-from-3ffe::29-to-3ffe::51 force
C set [from-3ffe::29-to-3ffe::51]:Local-ID=from-3ffe::29 force
C set [from-3ffe::29-to-3ffe::51]:Remote-ID=to-3ffe::51 force
C set [phase2-from-3ffe::29-to-3ffe::51]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::29-to-3ffe::51]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::29-to-3ffe::51]:Suites=phase2-suite-from-3ffe::29-to-3ffe::51 force
+C set [phase2-suite-from-3ffe::29-to-3ffe::51]:Protocols=phase2-protocol-from-3ffe::29-to-3ffe::51 force
+C set [phase2-protocol-from-3ffe::29-to-3ffe::51]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::29-to-3ffe::51]:Transforms=phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::29]:ID-type=IPV6_ADDR force
C set [from-3ffe::29]:Address=3ffe::29 force
C set [to-3ffe::51]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike19.ok b/regress/sbin/ipsecctl/ike19.ok
index fd7c14810b3..87b85622004 100644
--- a/regress/sbin/ipsecctl/ike19.ok
+++ b/regress/sbin/ipsecctl/ike19.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-0.0.0.0/0]:Phase=2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:ISAKMP-peer=peer-3ffe::1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Configuration=phase2-from-1.1.1.1-to-0.0.0.0/0 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=phase2-suite-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-1.1.1.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike2.ok b/regress/sbin/ipsecctl/ike2.ok
index ea58311e666..d57ec668691 100644
--- a/regress/sbin/ipsecctl/ike2.ok
+++ b/regress/sbin/ipsecctl/ike2.ok
@@ -3,14 +3,29 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Phase=2 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:ISAKMP-peer=peer-131.188.33.29 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to-10.1.2.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike20.ok b/regress/sbin/ipsecctl/ike20.ok
index ff637adcfe1..cc33c77f4e0 100644
--- a/regress/sbin/ipsecctl/ike20.ok
+++ b/regress/sbin/ipsecctl/ike20.ok
@@ -4,14 +4,29 @@ C set [peer-192.168.3.1-local-192.168.3.2]:Address=192.168.3.1 force
C set [peer-192.168.3.1-local-192.168.3.2]:Local-address=192.168.3.2 force
C set [peer-192.168.3.1-local-192.168.3.2]:Configuration=phase1-peer-192.168.3.1-local-192.168.3.2 force
C set [phase1-peer-192.168.3.1-local-192.168.3.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-0.0.0.0/0]:Phase=2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1-local-192.168.3.2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Configuration=phase2-from-1.1.1.1-to-0.0.0.0/0 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=phase2-suite-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-1.1.1.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
@@ -24,14 +39,29 @@ C set [peer-192.168.3.1-local-192.168.3.2]:Address=192.168.3.1 force
C set [peer-192.168.3.1-local-192.168.3.2]:Local-address=192.168.3.2 force
C set [peer-192.168.3.1-local-192.168.3.2]:Configuration=phase1-peer-192.168.3.1-local-192.168.3.2 force
C set [phase1-peer-192.168.3.1-local-192.168.3.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.3.1-local-192.168.3.2]:Transforms=phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-local-192.168.3.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-0.0.0.0/0]:Phase=2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1-local-192.168.3.2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Configuration=phase2-from-1.1.1.1-to-0.0.0.0/0 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=phase2-suite-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-1.1.1.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike21.ok b/regress/sbin/ipsecctl/ike21.ok
index 4767206f21b..82129e7b32b 100644
--- a/regress/sbin/ipsecctl/ike21.ok
+++ b/regress/sbin/ipsecctl/ike21.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::2]:Phase=1 force
C set [peer-3ffe::2]:Address=3ffe::2 force
C set [peer-3ffe::2]:Configuration=phase1-peer-3ffe::2 force
C set [phase1-peer-3ffe::2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::2]:Transforms=phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::1-to-3ffe::2]:Phase=2 force
C set [from-3ffe::1-to-3ffe::2]:ISAKMP-peer=peer-3ffe::2 force
C set [from-3ffe::1-to-3ffe::2]:Configuration=phase2-from-3ffe::1-to-3ffe::2 force
C set [from-3ffe::1-to-3ffe::2]:Local-ID=from-3ffe::1 force
C set [from-3ffe::1-to-3ffe::2]:Remote-ID=to-3ffe::2 force
C set [phase2-from-3ffe::1-to-3ffe::2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::1-to-3ffe::2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::1-to-3ffe::2]:Suites=phase2-suite-from-3ffe::1-to-3ffe::2 force
+C set [phase2-suite-from-3ffe::1-to-3ffe::2]:Protocols=phase2-protocol-from-3ffe::1-to-3ffe::2 force
+C set [phase2-protocol-from-3ffe::1-to-3ffe::2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::1-to-3ffe::2]:Transforms=phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::1-to-3ffe::2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::1]:ID-type=IPV6_ADDR force
C set [from-3ffe::1]:Address=3ffe::1 force
C set [to-3ffe::2]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike22.ok b/regress/sbin/ipsecctl/ike22.ok
index e037df8f198..fd79a87762a 100644
--- a/regress/sbin/ipsecctl/ike22.ok
+++ b/regress/sbin/ipsecctl/ike22.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Phase=2 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::1 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to-10.1.2.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike23.ok b/regress/sbin/ipsecctl/ike23.ok
index 00c58f8e05f..c8383af0264 100644
--- a/regress/sbin/ipsecctl/ike23.ok
+++ b/regress/sbin/ipsecctl/ike23.ok
@@ -3,7 +3,13 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +22,16 @@ C set [from-3ffe::51-to-3ffe::29]:Configuration=phase2-from-3ffe::51-to-3ffe::29
C set [from-3ffe::51-to-3ffe::29]:Local-ID=from-3ffe::51 force
C set [from-3ffe::51-to-3ffe::29]:Remote-ID=to-3ffe::29 force
C set [phase2-from-3ffe::51-to-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=phase2-suite-from-3ffe::51-to-3ffe::29 force
+C set [phase2-suite-from-3ffe::51-to-3ffe::29]:Protocols=phase2-protocol-from-3ffe::51-to-3ffe::29 force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:Transforms=phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::51]:ID-type=IPV6_ADDR force
C set [from-3ffe::51]:Address=3ffe::51 force
C set [to-3ffe::29]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike29.ok b/regress/sbin/ipsecctl/ike29.ok
index e0ac9d528ff..97d7d1c4e7d 100644
--- a/regress/sbin/ipsecctl/ike29.ok
+++ b/regress/sbin/ipsecctl/ike29.ok
@@ -5,7 +5,13 @@ C set [peer-3ffe:2::1]:Phase=1 force
C set [peer-3ffe:2::1]:Address=3ffe:2::1 force
C set [peer-3ffe:2::1]:Configuration=phase1-peer-3ffe:2::1 force
C set [phase1-peer-3ffe:2::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe:2::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe:2::1]:Transforms=phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe:2::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe:2::1]:ID=id-noname.my.domain force
C set [id-noname.my.domain]:ID-type=FQDN force
C set [id-noname.my.domain]:Name=noname.my.domain force
@@ -15,7 +21,16 @@ C set [from-3ffe:3::/64-to-3ffe:4::/64]:Configuration=phase2-from-3ffe:3::/64-to
C set [from-3ffe:3::/64-to-3ffe:4::/64]:Local-ID=from-3ffe:3::/64 force
C set [from-3ffe:3::/64-to-3ffe:4::/64]:Remote-ID=to-3ffe:4::/64 force
C set [phase2-from-3ffe:3::/64-to-3ffe:4::/64]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:3::/64-to-3ffe:4::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:3::/64-to-3ffe:4::/64]:Suites=phase2-suite-from-3ffe:3::/64-to-3ffe:4::/64 force
+C set [phase2-suite-from-3ffe:3::/64-to-3ffe:4::/64]:Protocols=phase2-protocol-from-3ffe:3::/64-to-3ffe:4::/64 force
+C set [phase2-protocol-from-3ffe:3::/64-to-3ffe:4::/64]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:3::/64-to-3ffe:4::/64]:Transforms=phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:3::/64-to-3ffe:4::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:3::/64]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:3::/64]:Network=3ffe:3:: force
C set [from-3ffe:3::/64]:Netmask=ffff:ffff:ffff:ffff:: force
diff --git a/regress/sbin/ipsecctl/ike3.ok b/regress/sbin/ipsecctl/ike3.ok
index 0c8bc8eb764..7a330295d00 100644
--- a/regress/sbin/ipsecctl/ike3.ok
+++ b/regress/sbin/ipsecctl/ike3.ok
@@ -3,7 +3,13 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-131.188.33.29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +22,16 @@ C set [from-131.188.33.51-to-131.188.33.29]:Configuration=phase2-from-131.188.33
C set [from-131.188.33.51-to-131.188.33.29]:Local-ID=from-131.188.33.51 force
C set [from-131.188.33.51-to-131.188.33.29]:Remote-ID=to-131.188.33.29 force
C set [phase2-from-131.188.33.51-to-131.188.33.29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=phase2-suite-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-suite-from-131.188.33.51-to-131.188.33.29]:Protocols=phase2-protocol-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:Transforms=phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-131.188.33.51]:ID-type=IPV4_ADDR force
C set [from-131.188.33.51]:Address=131.188.33.51 force
C set [to-131.188.33.29]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike30.ok b/regress/sbin/ipsecctl/ike30.ok
index 297f4293c9e..c3e572ecf06 100644
--- a/regress/sbin/ipsecctl/ike30.ok
+++ b/regress/sbin/ipsecctl/ike30.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::2]:Phase=1 force
C set [peer-3ffe::2]:Address=3ffe::2 force
C set [peer-3ffe::2]:Configuration=phase1-peer-3ffe::2 force
C set [phase1-peer-3ffe::2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::2]:Transforms=phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::1=97-to-3ffe::2=97]:Phase=2 force
C set [from-3ffe::1=97-to-3ffe::2=97]:ISAKMP-peer=peer-3ffe::2 force
C set [from-3ffe::1=97-to-3ffe::2=97]:Configuration=phase2-from-3ffe::1=97-to-3ffe::2=97 force
C set [from-3ffe::1=97-to-3ffe::2=97]:Local-ID=from-3ffe::1=97 force
C set [from-3ffe::1=97-to-3ffe::2=97]:Remote-ID=to-3ffe::2=97 force
C set [phase2-from-3ffe::1=97-to-3ffe::2=97]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::1=97-to-3ffe::2=97]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::1=97-to-3ffe::2=97]:Suites=phase2-suite-from-3ffe::1=97-to-3ffe::2=97 force
+C set [phase2-suite-from-3ffe::1=97-to-3ffe::2=97]:Protocols=phase2-protocol-from-3ffe::1=97-to-3ffe::2=97 force
+C set [phase2-protocol-from-3ffe::1=97-to-3ffe::2=97]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::1=97-to-3ffe::2=97]:Transforms=phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::1=97-to-3ffe::2=97-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::1=97]:ID-type=IPV6_ADDR force
C set [from-3ffe::1=97]:Address=3ffe::1 force
C set [to-3ffe::2=97]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike31.ok b/regress/sbin/ipsecctl/ike31.ok
index eee8b862e70..ca4dc31573e 100644
--- a/regress/sbin/ipsecctl/ike31.ok
+++ b/regress/sbin/ipsecctl/ike31.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe:2::1-to-::/0]:Phase=2 force
C set [from-3ffe:2::1-to-::/0]:ISAKMP-peer=peer-3ffe::1 force
C set [from-3ffe:2::1-to-::/0]:Configuration=phase2-from-3ffe:2::1-to-::/0 force
C set [from-3ffe:2::1-to-::/0]:Local-ID=from-3ffe:2::1 force
C set [from-3ffe:2::1-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-3ffe:2::1-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:2::1-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:2::1-to-::/0]:Suites=phase2-suite-from-3ffe:2::1-to-::/0 force
+C set [phase2-suite-from-3ffe:2::1-to-::/0]:Protocols=phase2-protocol-from-3ffe:2::1-to-::/0 force
+C set [phase2-protocol-from-3ffe:2::1-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:2::1-to-::/0]:Transforms=phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:2::1-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:2::1]:ID-type=IPV6_ADDR force
C set [from-3ffe:2::1]:Address=3ffe:2::1 force
C set [to-::/0]:ID-type=IPV6_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike32.ok b/regress/sbin/ipsecctl/ike32.ok
index d2512e43795..887452b5689 100644
--- a/regress/sbin/ipsecctl/ike32.ok
+++ b/regress/sbin/ipsecctl/ike32.ok
@@ -1,17 +1,33 @@
-C set [General]:Default-phase-2-lifetime=1200 force
C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL-life force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL-life]:LIFE_TYPE=SECONDS force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL-life]:LIFE_DURATION=1200 force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike33.ok b/regress/sbin/ipsecctl/ike33.ok
index a26b9bbec77..c0770218246 100644
--- a/regress/sbin/ipsecctl/ike33.ok
+++ b/regress/sbin/ipsecctl/ike33.ok
@@ -1,17 +1,33 @@
-C set [General]:Default-phase-1-lifetime=3600 force
C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024-life force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024-life]:LIFE_TYPE=SECONDS force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024-life]:LIFE_DURATION=3600 force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike34.ok b/regress/sbin/ipsecctl/ike34.ok
index d235efec245..ec8c1b60f07 100644
--- a/regress/sbin/ipsecctl/ike34.ok
+++ b/regress/sbin/ipsecctl/ike34.ok
@@ -3,14 +3,29 @@ C set [peer-1.2.3.4]:Phase=1 force
C set [peer-1.2.3.4]:Address=1.2.3.4 force
C set [peer-1.2.3.4]:Configuration=phase1-peer-1.2.3.4 force
C set [phase1-peer-1.2.3.4]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.2.3.4]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.2.3.4]:Transforms=phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Phase=2 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:ISAKMP-peer=peer-1.2.3.4 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Configuration=phase2-from-3ffe::1/24-to-3ffe:2::/24 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Local-ID=from-3ffe::1/24 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Remote-ID=to-3ffe:2::/24 force
C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:Suites=phase2-suite-from-3ffe::1/24-to-3ffe:2::/24 force
+C set [phase2-suite-from-3ffe::1/24-to-3ffe:2::/24]:Protocols=phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24 force
+C set [phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24]:Transforms=phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe::1/24]:Network=3ffe::1 force
C set [from-3ffe::1/24]:Netmask=ffff:ff00:: force
diff --git a/regress/sbin/ipsecctl/ike35.ok b/regress/sbin/ipsecctl/ike35.ok
index d74993925f9..fe824b483a5 100644
--- a/regress/sbin/ipsecctl/ike35.ok
+++ b/regress/sbin/ipsecctl/ike35.ok
@@ -3,14 +3,29 @@ C set [peer-1.2.3.4]:Phase=1 force
C set [peer-1.2.3.4]:Address=1.2.3.4 force
C set [peer-1.2.3.4]:Configuration=phase1-peer-1.2.3.4 force
C set [phase1-peer-1.2.3.4]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.2.3.4]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.2.3.4]:Transforms=phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe:2::/24-to-3ffe::1/24]:Phase=2 force
C set [from-3ffe:2::/24-to-3ffe::1/24]:ISAKMP-peer=peer-1.2.3.4 force
C set [from-3ffe:2::/24-to-3ffe::1/24]:Configuration=phase2-from-3ffe:2::/24-to-3ffe::1/24 force
C set [from-3ffe:2::/24-to-3ffe::1/24]:Local-ID=from-3ffe:2::/24 force
C set [from-3ffe:2::/24-to-3ffe::1/24]:Remote-ID=to-3ffe::1/24 force
C set [phase2-from-3ffe:2::/24-to-3ffe::1/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:2::/24-to-3ffe::1/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:2::/24-to-3ffe::1/24]:Suites=phase2-suite-from-3ffe:2::/24-to-3ffe::1/24 force
+C set [phase2-suite-from-3ffe:2::/24-to-3ffe::1/24]:Protocols=phase2-protocol-from-3ffe:2::/24-to-3ffe::1/24 force
+C set [phase2-protocol-from-3ffe:2::/24-to-3ffe::1/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:2::/24-to-3ffe::1/24]:Transforms=phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:2::/24-to-3ffe::1/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:2::/24]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:2::/24]:Network=3ffe:2:: force
C set [from-3ffe:2::/24]:Netmask=ffff:ff00:: force
diff --git a/regress/sbin/ipsecctl/ike36.ok b/regress/sbin/ipsecctl/ike36.ok
index 625c965089b..6029ca8df1b 100644
--- a/regress/sbin/ipsecctl/ike36.ok
+++ b/regress/sbin/ipsecctl/ike36.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::3-to-3ffe::4]:Phase=2 force
C set [from-3ffe::3-to-3ffe::4]:ISAKMP-peer=peer-3ffe::1 force
C set [from-3ffe::3-to-3ffe::4]:Configuration=phase2-from-3ffe::3-to-3ffe::4 force
C set [from-3ffe::3-to-3ffe::4]:Local-ID=from-3ffe::3 force
C set [from-3ffe::3-to-3ffe::4]:Remote-ID=to-3ffe::4 force
C set [phase2-from-3ffe::3-to-3ffe::4]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::3-to-3ffe::4]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::3-to-3ffe::4]:Suites=phase2-suite-from-3ffe::3-to-3ffe::4 force
+C set [phase2-suite-from-3ffe::3-to-3ffe::4]:Protocols=phase2-protocol-from-3ffe::3-to-3ffe::4 force
+C set [phase2-protocol-from-3ffe::3-to-3ffe::4]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::3-to-3ffe::4]:Transforms=phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::3-to-3ffe::4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::3]:ID-type=IPV6_ADDR force
C set [from-3ffe::3]:Address=3ffe::3 force
C set [to-3ffe::4]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike37.ok b/regress/sbin/ipsecctl/ike37.ok
index 3a6fac15093..991a95b89a2 100644
--- a/regress/sbin/ipsecctl/ike37.ok
+++ b/regress/sbin/ipsecctl/ike37.ok
@@ -3,7 +3,13 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::1]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +22,16 @@ C set [from-3ffe:1::/64-to-3ffe:2::/64]:Configuration=phase2-from-3ffe:1::/64-to
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Local-ID=from-3ffe:1::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Remote-ID=to-3ffe:2::/64 force
C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64]:Protocols=phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:Transforms=phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:1::/64]:Network=3ffe:1:: force
C set [from-3ffe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
diff --git a/regress/sbin/ipsecctl/ike38.ok b/regress/sbin/ipsecctl/ike38.ok
index 3ff4fa5a0df..85794a82250 100644
--- a/regress/sbin/ipsecctl/ike38.ok
+++ b/regress/sbin/ipsecctl/ike38.ok
@@ -3,7 +3,12 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=3DES-SHA-GRP15-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:ENCRYPTION_ALGORITHM=3DES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-3DES-MODP_3072]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +21,15 @@ C set [from-3ffe:1::/64-to-3ffe:2::/64]:Configuration=phase2-from-3ffe:1::/64-to
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Local-ID=from-3ffe:1::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Remote-ID=to-3ffe:2::/64 force
C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=QM-ESP-3DES-SHA-PFS-GRP15-SUITE force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64]:Protocols=phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:Transforms=phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-3DES-SHA-MODP_3072-TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-3DES-SHA-MODP_3072-TUNNEL]:TRANSFORM_ID=3DES force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-3DES-SHA-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-3DES-SHA-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-3DES-SHA-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-3DES-SHA-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:1::/64]:Network=3ffe:1:: force
C set [from-3ffe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
@@ -29,7 +42,13 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -42,7 +61,16 @@ C set [from-3ffe::51-to-3ffe::29]:Configuration=phase2-from-3ffe::51-to-3ffe::29
C set [from-3ffe::51-to-3ffe::29]:Local-ID=from-3ffe::51 force
C set [from-3ffe::51-to-3ffe::29]:Remote-ID=to-3ffe::29 force
C set [phase2-from-3ffe::51-to-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=phase2-suite-from-3ffe::51-to-3ffe::29 force
+C set [phase2-suite-from-3ffe::51-to-3ffe::29]:Protocols=phase2-protocol-from-3ffe::51-to-3ffe::29 force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:Transforms=phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::51]:ID-type=IPV6_ADDR force
C set [from-3ffe::51]:Address=3ffe::51 force
C set [to-3ffe::29]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike39.ok b/regress/sbin/ipsecctl/ike39.ok
index 8018391ca54..45c9b36d4f6 100644
--- a/regress/sbin/ipsecctl/ike39.ok
+++ b/regress/sbin/ipsecctl/ike39.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Phase=2 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::29 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Configuration=phase2-from-3ffe:1::/64-to-3ffe:2::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Local-ID=from-3ffe:1::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Remote-ID=to-3ffe:2::/64 force
C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64]:Protocols=phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:Transforms=phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:1::/64]:Network=3ffe:1:: force
C set [from-3ffe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
@@ -23,14 +38,29 @@ C set [peer-3ffe::29]:Phase=1 force
C set [peer-3ffe::29]:Address=3ffe::29 force
C set [peer-3ffe::29]:Configuration=phase1-peer-3ffe::29 force
C set [phase1-peer-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::29]:Transforms=phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::51-to-3ffe::29]:Phase=2 force
C set [from-3ffe::51-to-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
C set [from-3ffe::51-to-3ffe::29]:Configuration=phase2-from-3ffe::51-to-3ffe::29 force
C set [from-3ffe::51-to-3ffe::29]:Local-ID=from-3ffe::51 force
C set [from-3ffe::51-to-3ffe::29]:Remote-ID=to-3ffe::29 force
C set [phase2-from-3ffe::51-to-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::51-to-3ffe::29]:Suites=phase2-suite-from-3ffe::51-to-3ffe::29 force
+C set [phase2-suite-from-3ffe::51-to-3ffe::29]:Protocols=phase2-protocol-from-3ffe::51-to-3ffe::29 force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::51-to-3ffe::29]:Transforms=phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::51-to-3ffe::29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::51]:ID-type=IPV6_ADDR force
C set [from-3ffe::51]:Address=3ffe::51 force
C set [to-3ffe::29]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike4.ok b/regress/sbin/ipsecctl/ike4.ok
index 17ab6560fd9..78a487c7ad7 100644
--- a/regress/sbin/ipsecctl/ike4.ok
+++ b/regress/sbin/ipsecctl/ike4.ok
@@ -3,7 +3,13 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-131.188.33.29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +22,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike40.ok b/regress/sbin/ipsecctl/ike40.ok
index 9b283cab45c..95edd980ea5 100644
--- a/regress/sbin/ipsecctl/ike40.ok
+++ b/regress/sbin/ipsecctl/ike40.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::51]:Phase=1 force
C set [peer-3ffe::51]:Address=3ffe::51 force
C set [peer-3ffe::51]:Configuration=phase1-peer-3ffe::51 force
C set [phase1-peer-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::51]:Transforms=phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Phase=2 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::51 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Configuration=phase2-from-3ffe:1::/64-to-3ffe:2::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Local-ID=from-3ffe:1::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Remote-ID=to-3ffe:2::/64 force
C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64]:Protocols=phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:Transforms=phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:1::/64]:Network=3ffe:1:: force
C set [from-3ffe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
@@ -23,14 +38,29 @@ C set [peer-3ffe::51]:Phase=1 force
C set [peer-3ffe::51]:Address=3ffe::51 force
C set [peer-3ffe::51]:Configuration=phase1-peer-3ffe::51 force
C set [phase1-peer-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::51]:Transforms=phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::29-to-3ffe::51]:Phase=2 force
C set [from-3ffe::29-to-3ffe::51]:ISAKMP-peer=peer-3ffe::51 force
C set [from-3ffe::29-to-3ffe::51]:Configuration=phase2-from-3ffe::29-to-3ffe::51 force
C set [from-3ffe::29-to-3ffe::51]:Local-ID=from-3ffe::29 force
C set [from-3ffe::29-to-3ffe::51]:Remote-ID=to-3ffe::51 force
C set [phase2-from-3ffe::29-to-3ffe::51]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::29-to-3ffe::51]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::29-to-3ffe::51]:Suites=phase2-suite-from-3ffe::29-to-3ffe::51 force
+C set [phase2-suite-from-3ffe::29-to-3ffe::51]:Protocols=phase2-protocol-from-3ffe::29-to-3ffe::51 force
+C set [phase2-protocol-from-3ffe::29-to-3ffe::51]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::29-to-3ffe::51]:Transforms=phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::29-to-3ffe::51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::29]:ID-type=IPV6_ADDR force
C set [from-3ffe::29]:Address=3ffe::29 force
C set [to-3ffe::51]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike41.ok b/regress/sbin/ipsecctl/ike41.ok
index d69595c4ae4..4cbda02ca48 100644
--- a/regress/sbin/ipsecctl/ike41.ok
+++ b/regress/sbin/ipsecctl/ike41.ok
@@ -1,18 +1,35 @@
-C set [General]:Default-phase-1-lifetime=3600 force
-C set [General]:Default-phase-2-lifetime=1200 force
C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024-life force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024-life]:LIFE_TYPE=SECONDS force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024-life]:LIFE_DURATION=3600 force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL-life force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL-life]:LIFE_TYPE=SECONDS force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL-life]:LIFE_DURATION=1200 force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike42.ok b/regress/sbin/ipsecctl/ike42.ok
index b385bd5687d..d32d99f24e8 100644
--- a/regress/sbin/ipsecctl/ike42.ok
+++ b/regress/sbin/ipsecctl/ike42.ok
@@ -3,14 +3,29 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1=17:123-to-2.2.2.2=17]:Phase=2 force
C set [from-1.1.1.1=17:123-to-2.2.2.2=17]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1=17:123-to-2.2.2.2=17]:Configuration=phase2-from-1.1.1.1=17:123-to-2.2.2.2=17 force
C set [from-1.1.1.1=17:123-to-2.2.2.2=17]:Local-ID=from-1.1.1.1=17:123 force
C set [from-1.1.1.1=17:123-to-2.2.2.2=17]:Remote-ID=to-2.2.2.2=17 force
C set [phase2-from-1.1.1.1=17:123-to-2.2.2.2=17]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1=17:123-to-2.2.2.2=17]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1=17:123-to-2.2.2.2=17]:Suites=phase2-suite-from-1.1.1.1=17:123-to-2.2.2.2=17 force
+C set [phase2-suite-from-1.1.1.1=17:123-to-2.2.2.2=17]:Protocols=phase2-protocol-from-1.1.1.1=17:123-to-2.2.2.2=17 force
+C set [phase2-protocol-from-1.1.1.1=17:123-to-2.2.2.2=17]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1=17:123-to-2.2.2.2=17]:Transforms=phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1=17:123-to-2.2.2.2=17-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1=17:123]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1=17:123]:Address=1.1.1.1 force
C set [to-2.2.2.2=17]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike43.ok b/regress/sbin/ipsecctl/ike43.ok
index faabc9ff618..0f1dbbb1b09 100644
--- a/regress/sbin/ipsecctl/ike43.ok
+++ b/regress/sbin/ipsecctl/ike43.ok
@@ -3,14 +3,29 @@ C set [peer-3ffe::2]:Phase=1 force
C set [peer-3ffe::2]:Address=3ffe::2 force
C set [peer-3ffe::2]:Configuration=phase1-peer-3ffe::2 force
C set [phase1-peer-3ffe::2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::2]:Transforms=phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::1=6:2022-to-3ffe::2=6:22]:Phase=2 force
C set [from-3ffe::1=6:2022-to-3ffe::2=6:22]:ISAKMP-peer=peer-3ffe::2 force
C set [from-3ffe::1=6:2022-to-3ffe::2=6:22]:Configuration=phase2-from-3ffe::1=6:2022-to-3ffe::2=6:22 force
C set [from-3ffe::1=6:2022-to-3ffe::2=6:22]:Local-ID=from-3ffe::1=6:2022 force
C set [from-3ffe::1=6:2022-to-3ffe::2=6:22]:Remote-ID=to-3ffe::2=6:22 force
C set [phase2-from-3ffe::1=6:2022-to-3ffe::2=6:22]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::1=6:2022-to-3ffe::2=6:22]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::1=6:2022-to-3ffe::2=6:22]:Suites=phase2-suite-from-3ffe::1=6:2022-to-3ffe::2=6:22 force
+C set [phase2-suite-from-3ffe::1=6:2022-to-3ffe::2=6:22]:Protocols=phase2-protocol-from-3ffe::1=6:2022-to-3ffe::2=6:22 force
+C set [phase2-protocol-from-3ffe::1=6:2022-to-3ffe::2=6:22]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::1=6:2022-to-3ffe::2=6:22]:Transforms=phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::1=6:2022-to-3ffe::2=6:22-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::1=6:2022]:ID-type=IPV6_ADDR force
C set [from-3ffe::1=6:2022]:Address=3ffe::1 force
C set [to-3ffe::2=6:22]:ID-type=IPV6_ADDR force
diff --git a/regress/sbin/ipsecctl/ike46.ok b/regress/sbin/ipsecctl/ike46.ok
index c52acd23f1d..d0e0d6a94b9 100644
--- a/regress/sbin/ipsecctl/ike46.ok
+++ b/regress/sbin/ipsecctl/ike46.ok
@@ -3,14 +3,29 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
@@ -21,14 +36,29 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT]:ENCAPSULATION_MODE=TRANSPORT force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TRANSPORT]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike47.ok b/regress/sbin/ipsecctl/ike47.ok
index 8d13650a978..6864daba509 100644
--- a/regress/sbin/ipsecctl/ike47.ok
+++ b/regress/sbin/ipsecctl/ike47.ok
@@ -2,14 +2,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Phase=2 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Configuration=phase2-from-0.0.0.0/0-to-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Local-ID=from-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0]:Protocols=phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:Transforms=phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [from-0.0.0.0/0]:Network=0.0.0.0 force
C set [from-0.0.0.0/0]:Netmask=0.0.0.0 force
@@ -21,14 +36,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-::/0-to-::/0]:Phase=2 force
C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force
C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
diff --git a/regress/sbin/ipsecctl/ike48.ok b/regress/sbin/ipsecctl/ike48.ok
index 493ddc598a5..928f1557cb0 100644
--- a/regress/sbin/ipsecctl/ike48.ok
+++ b/regress/sbin/ipsecctl/ike48.ok
@@ -3,14 +3,29 @@ C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=mekmitasdigoat force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Phase=2 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Configuration=phase2-from-0.0.0.0/0-to-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Local-ID=from-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0]:Protocols=phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:Transforms=phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [from-0.0.0.0/0]:Network=0.0.0.0 force
C set [from-0.0.0.0/0]:Netmask=0.0.0.0 force
@@ -23,14 +38,29 @@ C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=mekmitasdigoat force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-::/0-to-::/0]:Phase=2 force
C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force
C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
diff --git a/regress/sbin/ipsecctl/ike49.ok b/regress/sbin/ipsecctl/ike49.ok
index cce2e81d578..b368b79c6e3 100644
--- a/regress/sbin/ipsecctl/ike49.ok
+++ b/regress/sbin/ipsecctl/ike49.ok
@@ -3,14 +3,29 @@ C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=mekmitasdigoat force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Phase=2 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:ISAKMP-peer=peer-default force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to-10.1.2.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike5.ok b/regress/sbin/ipsecctl/ike5.ok
index 3cd131f1c24..9b6a4d9cadd 100644
--- a/regress/sbin/ipsecctl/ike5.ok
+++ b/regress/sbin/ipsecctl/ike5.ok
@@ -3,7 +3,12 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=3DES-SHA-GRP15-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-3DES-MODP_3072 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-3DES-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-3DES-MODP_3072]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-3DES-MODP_3072]:ENCRYPTION_ALGORITHM=3DES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-3DES-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-3DES-MODP_3072]:Life=LIFE_MAIN_MODE force
C set [peer-131.188.33.29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -16,7 +21,15 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-3DES-SHA-PFS-GRP15-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:TRANSFORM_ID=3DES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-3DES-SHA-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
@@ -29,7 +42,13 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_3072]:Life=LIFE_MAIN_MODE force
C set [peer-131.188.33.29]:ID=id-sharleena.as10.net force
C set [id-sharleena.as10.net]:ID-type=FQDN force
C set [id-sharleena.as10.net]:Name=sharleena.as10.net force
@@ -42,7 +61,16 @@ C set [from-131.188.33.51-to-131.188.33.29]:Configuration=phase2-from-131.188.33
C set [from-131.188.33.51-to-131.188.33.29]:Local-ID=from-131.188.33.51 force
C set [from-131.188.33.51-to-131.188.33.29]:Remote-ID=to-131.188.33.29 force
C set [phase2-from-131.188.33.51-to-131.188.33.29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=phase2-suite-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-suite-from-131.188.33.51-to-131.188.33.29]:Protocols=phase2-protocol-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:Transforms=phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-131.188.33.51]:ID-type=IPV4_ADDR force
C set [from-131.188.33.51]:Address=131.188.33.51 force
C set [to-131.188.33.29]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike50.ok b/regress/sbin/ipsecctl/ike50.ok
index d18632cc315..70d57ad6880 100644
--- a/regress/sbin/ipsecctl/ike50.ok
+++ b/regress/sbin/ipsecctl/ike50.ok
@@ -3,14 +3,29 @@ C set [peer-default]:Phase=1 force
C set [peer-default]:Local-address=1.1.1.1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.1.0/24-to-10.2.2.0/24]:Phase=2 force
C set [from-10.1.1.0/24-to-10.2.2.0/24]:ISAKMP-peer=peer-default force
C set [from-10.1.1.0/24-to-10.2.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to-10.2.2.0/24 force
C set [from-10.1.1.0/24-to-10.2.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.2.2.0/24]:Remote-ID=to-10.2.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.2.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.2.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.2.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.2.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.2.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.2.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.2.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.2.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.2.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike51.ok b/regress/sbin/ipsecctl/ike51.ok
index 7748a47ecfe..850f9f97050 100644
--- a/regress/sbin/ipsecctl/ike51.ok
+++ b/regress/sbin/ipsecctl/ike51.ok
@@ -3,14 +3,29 @@ C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=mekmitasdigoat force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Phase=2 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:ISAKMP-peer=peer-default force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Configuration=phase2-from-3ffe::1/24-to-3ffe:2::/24 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Local-ID=from-3ffe::1/24 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Remote-ID=to-3ffe:2::/24 force
C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:Suites=phase2-suite-from-3ffe::1/24-to-3ffe:2::/24 force
+C set [phase2-suite-from-3ffe::1/24-to-3ffe:2::/24]:Protocols=phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24 force
+C set [phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24]:Transforms=phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe::1/24]:Network=3ffe::1 force
C set [from-3ffe::1/24]:Netmask=ffff:ff00:: force
diff --git a/regress/sbin/ipsecctl/ike52.ok b/regress/sbin/ipsecctl/ike52.ok
index 26ab38fa24c..c1133ec487c 100644
--- a/regress/sbin/ipsecctl/ike52.ok
+++ b/regress/sbin/ipsecctl/ike52.ok
@@ -3,14 +3,29 @@ C set [peer-default]:Phase=1 force
C set [peer-default]:Local-address=3ffe::3 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Phase=2 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:ISAKMP-peer=peer-default force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Configuration=phase2-from-3ffe::1/24-to-3ffe:2::/24 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Local-ID=from-3ffe::1/24 force
C set [from-3ffe::1/24-to-3ffe:2::/24]:Remote-ID=to-3ffe:2::/24 force
C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe::1/24-to-3ffe:2::/24]:Suites=phase2-suite-from-3ffe::1/24-to-3ffe:2::/24 force
+C set [phase2-suite-from-3ffe::1/24-to-3ffe:2::/24]:Protocols=phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24 force
+C set [phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe::1/24-to-3ffe:2::/24]:Transforms=phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe::1/24-to-3ffe:2::/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe::1/24]:Network=3ffe::1 force
C set [from-3ffe::1/24]:Netmask=ffff:ff00:: force
diff --git a/regress/sbin/ipsecctl/ike53.ok b/regress/sbin/ipsecctl/ike53.ok
index f9b8c2e00aa..f5e7dba9ee2 100644
--- a/regress/sbin/ipsecctl/ike53.ok
+++ b/regress/sbin/ipsecctl/ike53.ok
@@ -3,14 +3,28 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-AH-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_AH force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike54.ok b/regress/sbin/ipsecctl/ike54.ok
index ba71199c199..96d8c623b62 100644
--- a/regress/sbin/ipsecctl/ike54.ok
+++ b/regress/sbin/ipsecctl/ike54.ok
@@ -2,14 +2,28 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Phase=2 force
C set [from-1.1.1.1=17:123-to-0.0.0.0/0=17]:ISAKMP-peer=peer-default force
C set [from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Configuration=phase2-from-1.1.1.1=17:123-to-0.0.0.0/0=17 force
C set [from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Local-ID=from-1.1.1.1=17:123 force
C set [from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Remote-ID=to-0.0.0.0/0=17 force
C set [phase2-from-1.1.1.1=17:123-to-0.0.0.0/0=17]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Suites=QM-AH-TRP-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Suites=phase2-suite-from-1.1.1.1=17:123-to-0.0.0.0/0=17 force
+C set [phase2-suite-from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Protocols=phase2-protocol-from-1.1.1.1=17:123-to-0.0.0.0/0=17 force
+C set [phase2-protocol-from-1.1.1.1=17:123-to-0.0.0.0/0=17]:PROTOCOL_ID=IPSEC_AH force
+C set [phase2-protocol-from-1.1.1.1=17:123-to-0.0.0.0/0=17]:Transforms=phase2-transform-from-1.1.1.1=17:123-to-0.0.0.0/0=17-NONE-SHA2_256-MODP_1024-TRANSPORT force
+C set [phase2-transform-from-1.1.1.1=17:123-to-0.0.0.0/0=17-NONE-SHA2_256-MODP_1024-TRANSPORT]:TRANSFORM_ID=SHA2_256 force
+C set [phase2-transform-from-1.1.1.1=17:123-to-0.0.0.0/0=17-NONE-SHA2_256-MODP_1024-TRANSPORT]:ENCAPSULATION_MODE=TRANSPORT force
+C set [phase2-transform-from-1.1.1.1=17:123-to-0.0.0.0/0=17-NONE-SHA2_256-MODP_1024-TRANSPORT]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1=17:123-to-0.0.0.0/0=17-NONE-SHA2_256-MODP_1024-TRANSPORT]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1=17:123-to-0.0.0.0/0=17-NONE-SHA2_256-MODP_1024-TRANSPORT]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1=17:123]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1=17:123]:Address=1.1.1.1 force
C set [to-0.0.0.0/0=17]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike55.ok b/regress/sbin/ipsecctl/ike55.ok
index 3afcf17b93a..3ed6116e3e5 100644
--- a/regress/sbin/ipsecctl/ike55.ok
+++ b/regress/sbin/ipsecctl/ike55.ok
@@ -3,14 +3,28 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-AH-MD5-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_AH force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-MD5-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-MD5-MODP_1024-TUNNEL]:TRANSFORM_ID=MD5 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-MD5-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-MD5-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_MD5 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-MD5-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-NONE-MD5-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike56.ok b/regress/sbin/ipsecctl/ike56.ok
index c41b62ec22b..ae63ab58aa7 100644
--- a/regress/sbin/ipsecctl/ike56.ok
+++ b/regress/sbin/ipsecctl/ike56.ok
@@ -3,14 +3,29 @@ C set [peer-127.0.0.1]:Phase=1 force
C set [peer-127.0.0.1]:Address=127.0.0.1 force
C set [peer-127.0.0.1]:Configuration=phase1-peer-127.0.0.1 force
C set [phase1-peer-127.0.0.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-127.0.0.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-127.0.0.1]:Transforms=phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-127.0.0.1-to-127.0.0.1]:Phase=2 force
C set [from-127.0.0.1-to-127.0.0.1]:ISAKMP-peer=peer-127.0.0.1 force
C set [from-127.0.0.1-to-127.0.0.1]:Configuration=phase2-from-127.0.0.1-to-127.0.0.1 force
C set [from-127.0.0.1-to-127.0.0.1]:Local-ID=from-127.0.0.1 force
C set [from-127.0.0.1-to-127.0.0.1]:Remote-ID=to-127.0.0.1 force
C set [phase2-from-127.0.0.1-to-127.0.0.1]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-127.0.0.1-to-127.0.0.1]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-127.0.0.1-to-127.0.0.1]:Suites=phase2-suite-from-127.0.0.1-to-127.0.0.1 force
+C set [phase2-suite-from-127.0.0.1-to-127.0.0.1]:Protocols=phase2-protocol-from-127.0.0.1-to-127.0.0.1 force
+C set [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:Transforms=phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-127.0.0.1]:ID-type=IPV4_ADDR force
C set [from-127.0.0.1]:Address=127.0.0.1 force
C set [to-127.0.0.1]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike57.ok b/regress/sbin/ipsecctl/ike57.ok
index b99305288b1..cb2d4508eca 100644
--- a/regress/sbin/ipsecctl/ike57.ok
+++ b/regress/sbin/ipsecctl/ike57.ok
@@ -3,7 +3,13 @@ C set [peer-192.168.0.1]:Phase=1 force
C set [peer-192.168.0.1]:Address=192.168.0.1 force
C set [peer-192.168.0.1]:Configuration=phase1-peer-192.168.0.1 force
C set [phase1-peer-192.168.0.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.0.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.0.1]:Transforms=phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.0.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-192.168.0.1]:ID=id-me@example.com force
C set [id-me@example.com]:ID-type=USER_FQDN force
C set [id-me@example.com]:Name=me@example.com force
@@ -16,7 +22,16 @@ C set [from-10.0.0.0/24-to-10.0.1.0/24]:Configuration=phase2-from-10.0.0.0/24-to
C set [from-10.0.0.0/24-to-10.0.1.0/24]:Local-ID=from-10.0.0.0/24 force
C set [from-10.0.0.0/24-to-10.0.1.0/24]:Remote-ID=to-10.0.1.0/24 force
C set [phase2-from-10.0.0.0/24-to-10.0.1.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.0/24-to-10.0.1.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.0/24-to-10.0.1.0/24]:Suites=phase2-suite-from-10.0.0.0/24-to-10.0.1.0/24 force
+C set [phase2-suite-from-10.0.0.0/24-to-10.0.1.0/24]:Protocols=phase2-protocol-from-10.0.0.0/24-to-10.0.1.0/24 force
+C set [phase2-protocol-from-10.0.0.0/24-to-10.0.1.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.0/24-to-10.0.1.0/24]:Transforms=phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.0.0.0/24]:Network=10.0.0.0 force
C set [from-10.0.0.0/24]:Netmask=255.255.255.0 force
@@ -29,7 +44,13 @@ C set [peer-192.168.0.2]:Phase=1 force
C set [peer-192.168.0.2]:Address=192.168.0.2 force
C set [peer-192.168.0.2]:Configuration=phase1-peer-192.168.0.2 force
C set [phase1-peer-192.168.0.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.0.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.0.2]:Transforms=phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.0.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-192.168.0.2]:ID=id-me@example.com force
C set [id-me@example.com]:ID-type=USER_FQDN force
C set [id-me@example.com]:Name=me@example.com force
@@ -42,7 +63,16 @@ C set [from-10.0.0.0/24-to-10.0.2.0/24]:Configuration=phase2-from-10.0.0.0/24-to
C set [from-10.0.0.0/24-to-10.0.2.0/24]:Local-ID=from-10.0.0.0/24 force
C set [from-10.0.0.0/24-to-10.0.2.0/24]:Remote-ID=to-10.0.2.0/24 force
C set [phase2-from-10.0.0.0/24-to-10.0.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.0/24-to-10.0.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.0/24-to-10.0.2.0/24]:Suites=phase2-suite-from-10.0.0.0/24-to-10.0.2.0/24 force
+C set [phase2-suite-from-10.0.0.0/24-to-10.0.2.0/24]:Protocols=phase2-protocol-from-10.0.0.0/24-to-10.0.2.0/24 force
+C set [phase2-protocol-from-10.0.0.0/24-to-10.0.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.0/24-to-10.0.2.0/24]:Transforms=phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.0.0.0/24]:Network=10.0.0.0 force
C set [from-10.0.0.0/24]:Netmask=255.255.255.0 force
@@ -55,7 +85,13 @@ C set [peer-192.168.0.3]:Phase=1 force
C set [peer-192.168.0.3]:Address=192.168.0.3 force
C set [peer-192.168.0.3]:Configuration=phase1-peer-192.168.0.3 force
C set [phase1-peer-192.168.0.3]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.0.3]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.0.3]:Transforms=phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.0.3-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-192.168.0.3]:ID=id-me.example.com force
C set [id-me.example.com]:ID-type=FQDN force
C set [id-me.example.com]:Name=me.example.com force
@@ -68,7 +104,16 @@ C set [from-10.0.0.0/24-to-10.0.3.0/24]:Configuration=phase2-from-10.0.0.0/24-to
C set [from-10.0.0.0/24-to-10.0.3.0/24]:Local-ID=from-10.0.0.0/24 force
C set [from-10.0.0.0/24-to-10.0.3.0/24]:Remote-ID=to-10.0.3.0/24 force
C set [phase2-from-10.0.0.0/24-to-10.0.3.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.0/24-to-10.0.3.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.0/24-to-10.0.3.0/24]:Suites=phase2-suite-from-10.0.0.0/24-to-10.0.3.0/24 force
+C set [phase2-suite-from-10.0.0.0/24-to-10.0.3.0/24]:Protocols=phase2-protocol-from-10.0.0.0/24-to-10.0.3.0/24 force
+C set [phase2-protocol-from-10.0.0.0/24-to-10.0.3.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.0/24-to-10.0.3.0/24]:Transforms=phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.0/24-to-10.0.3.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.0.0.0/24]:Network=10.0.0.0 force
C set [from-10.0.0.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike58.ok b/regress/sbin/ipsecctl/ike58.ok
index bc2f331a252..8b37caf2d61 100644
--- a/regress/sbin/ipsecctl/ike58.ok
+++ b/regress/sbin/ipsecctl/ike58.ok
@@ -2,14 +2,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Phase=2 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Configuration=phase2-from-0.0.0.0/0-to-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Local-ID=from-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0]:Protocols=phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:Transforms=phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [from-0.0.0.0/0]:Network=0.0.0.0 force
C set [from-0.0.0.0/0]:Netmask=0.0.0.0 force
@@ -21,14 +36,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-::/0-to-::/0]:Phase=2 force
C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force
C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
@@ -40,14 +70,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-::/0-to-::/0]:Phase=2 force
C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force
C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
diff --git a/regress/sbin/ipsecctl/ike59.ok b/regress/sbin/ipsecctl/ike59.ok
index c356fbb08d2..ee0634bcb95 100644
--- a/regress/sbin/ipsecctl/ike59.ok
+++ b/regress/sbin/ipsecctl/ike59.ok
@@ -3,14 +3,29 @@ C set [peer-1.2.3.4]:Phase=1 force
C set [peer-1.2.3.4]:Address=1.2.3.4 force
C set [peer-1.2.3.4]:Configuration=phase1-peer-1.2.3.4 force
C set [phase1-peer-1.2.3.4]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.2.3.4]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.2.3.4]:Transforms=phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.2.3.4-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.0.0.1/32-to-10.0.0.2/32]:Phase=2 force
C set [from-10.0.0.1/32-to-10.0.0.2/32]:ISAKMP-peer=peer-1.2.3.4 force
C set [from-10.0.0.1/32-to-10.0.0.2/32]:Configuration=phase2-from-10.0.0.1/32-to-10.0.0.2/32 force
C set [from-10.0.0.1/32-to-10.0.0.2/32]:Local-ID=from-10.0.0.1/32 force
C set [from-10.0.0.1/32-to-10.0.0.2/32]:Remote-ID=to-10.0.0.2/32 force
C set [phase2-from-10.0.0.1/32-to-10.0.0.2/32]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.1/32-to-10.0.0.2/32]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.1/32-to-10.0.0.2/32]:Suites=phase2-suite-from-10.0.0.1/32-to-10.0.0.2/32 force
+C set [phase2-suite-from-10.0.0.1/32-to-10.0.0.2/32]:Protocols=phase2-protocol-from-10.0.0.1/32-to-10.0.0.2/32 force
+C set [phase2-protocol-from-10.0.0.1/32-to-10.0.0.2/32]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.1/32-to-10.0.0.2/32]:Transforms=phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.1/32-to-10.0.0.2/32-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.1/32]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.0.0.1/32]:Network=10.0.0.1 force
C set [from-10.0.0.1/32]:Netmask=255.255.255.255 force
diff --git a/regress/sbin/ipsecctl/ike6.ok b/regress/sbin/ipsecctl/ike6.ok
index f755e168d43..6c493238ab3 100644
--- a/regress/sbin/ipsecctl/ike6.ok
+++ b/regress/sbin/ipsecctl/ike6.ok
@@ -3,14 +3,29 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Phase=2 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:ISAKMP-peer=peer-131.188.33.29 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to-10.1.2.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
@@ -23,14 +38,29 @@ C set [peer-131.188.33.29]:Phase=1 force
C set [peer-131.188.33.29]:Address=131.188.33.29 force
C set [peer-131.188.33.29]:Configuration=phase1-peer-131.188.33.29 force
C set [phase1-peer-131.188.33.29]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.29]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.29]:Transforms=phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.29-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-131.188.33.51-to-131.188.33.29]:Phase=2 force
C set [from-131.188.33.51-to-131.188.33.29]:ISAKMP-peer=peer-131.188.33.29 force
C set [from-131.188.33.51-to-131.188.33.29]:Configuration=phase2-from-131.188.33.51-to-131.188.33.29 force
C set [from-131.188.33.51-to-131.188.33.29]:Local-ID=from-131.188.33.51 force
C set [from-131.188.33.51-to-131.188.33.29]:Remote-ID=to-131.188.33.29 force
C set [phase2-from-131.188.33.51-to-131.188.33.29]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-131.188.33.51-to-131.188.33.29]:Suites=phase2-suite-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-suite-from-131.188.33.51-to-131.188.33.29]:Protocols=phase2-protocol-from-131.188.33.51-to-131.188.33.29 force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-131.188.33.51-to-131.188.33.29]:Transforms=phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-131.188.33.51-to-131.188.33.29-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-131.188.33.51]:ID-type=IPV4_ADDR force
C set [from-131.188.33.51]:Address=131.188.33.51 force
C set [to-131.188.33.29]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike60.ok b/regress/sbin/ipsecctl/ike60.ok
index 2d0b5724e04..8df2195e099 100644
--- a/regress/sbin/ipsecctl/ike60.ok
+++ b/regress/sbin/ipsecctl/ike60.ok
@@ -2,14 +2,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-128-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024]:KEY_LENGTH=128,128:128 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:128-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.0.0.1-to-0.0.0.0/0]:Phase=2 force
C set [from-10.0.0.1-to-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [from-10.0.0.1-to-0.0.0.0/0]:Configuration=phase2-from-10.0.0.1-to-0.0.0.0/0 force
C set [from-10.0.0.1-to-0.0.0.0/0]:Local-ID=from-10.0.0.1 force
C set [from-10.0.0.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-10.0.0.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-128-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.1-to-0.0.0.0/0]:Suites=phase2-suite-from-10.0.0.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-10.0.0.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-10.0.0.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-10.0.0.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:128 force
+C set [phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.1-to-0.0.0.0/0-AES128,128:128-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.1]:ID-type=IPV4_ADDR force
C set [from-10.0.0.1]:Address=10.0.0.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
@@ -20,14 +35,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-192-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024]:KEY_LENGTH=192,192:192 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES192,192:192-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.0.0.2-to-0.0.0.0/0]:Phase=2 force
C set [from-10.0.0.2-to-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [from-10.0.0.2-to-0.0.0.0/0]:Configuration=phase2-from-10.0.0.2-to-0.0.0.0/0 force
C set [from-10.0.0.2-to-0.0.0.0/0]:Local-ID=from-10.0.0.2 force
C set [from-10.0.0.2-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-10.0.0.2-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.2-to-0.0.0.0/0]:Suites=QM-ESP-AES-192-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.2-to-0.0.0.0/0]:Suites=phase2-suite-from-10.0.0.2-to-0.0.0.0/0 force
+C set [phase2-suite-from-10.0.0.2-to-0.0.0.0/0]:Protocols=phase2-protocol-from-10.0.0.2-to-0.0.0.0/0 force
+C set [phase2-protocol-from-10.0.0.2-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.2-to-0.0.0.0/0]:Transforms=phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=192,192:192 force
+C set [phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.2-to-0.0.0.0/0-AES192,192:192-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.2]:ID-type=IPV4_ADDR force
C set [from-10.0.0.2]:Address=10.0.0.2 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
@@ -38,14 +68,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-256-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024]:KEY_LENGTH=256,256:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES256,256:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.0.0.3-to-0.0.0.0/0]:Phase=2 force
C set [from-10.0.0.3-to-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [from-10.0.0.3-to-0.0.0.0/0]:Configuration=phase2-from-10.0.0.3-to-0.0.0.0/0 force
C set [from-10.0.0.3-to-0.0.0.0/0]:Local-ID=from-10.0.0.3 force
C set [from-10.0.0.3-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-10.0.0.3-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.0.0.3-to-0.0.0.0/0]:Suites=QM-ESP-AES-256-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.0.0.3-to-0.0.0.0/0]:Suites=phase2-suite-from-10.0.0.3-to-0.0.0.0/0 force
+C set [phase2-suite-from-10.0.0.3-to-0.0.0.0/0]:Protocols=phase2-protocol-from-10.0.0.3-to-0.0.0.0/0 force
+C set [phase2-protocol-from-10.0.0.3-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.0.0.3-to-0.0.0.0/0]:Transforms=phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=256,256:256 force
+C set [phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.0.0.3-to-0.0.0.0/0-AES256,256:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.0.0.3]:ID-type=IPV4_ADDR force
C set [from-10.0.0.3]:Address=10.0.0.3 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike61.ok b/regress/sbin/ipsecctl/ike61.ok
index 0960408fb5d..0857b1cf06c 100644
--- a/regress/sbin/ipsecctl/ike61.ok
+++ b/regress/sbin/ipsecctl/ike61.ok
@@ -5,7 +5,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Phase=2 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Configuration=phase2-from-2.2.2.0/24-to-5.5.5.0/24 force
@@ -13,7 +19,16 @@ C set [from-2.2.2.0/24-to-5.5.5.0/24]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:NAT-ID=nat-5.5.5.0/24 force
C set [from-2.2.2.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:Suites=phase2-suite-from-2.2.2.0/24-to-5.5.5.0/24 force
+C set [phase2-suite-from-2.2.2.0/24-to-5.5.5.0/24]:Protocols=phase2-protocol-from-2.2.2.0/24-to-5.5.5.0/24 force
+C set [phase2-protocol-from-2.2.2.0/24-to-5.5.5.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-5.5.5.0/24]:Transforms=phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -29,7 +44,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Phase=2 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Configuration=phase2-from-2.2.2.0/24-to-6.6.6.0/24 force
@@ -37,7 +58,16 @@ C set [from-2.2.2.0/24-to-6.6.6.0/24]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:NAT-ID=nat-5.5.5.0/24 force
C set [from-2.2.2.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:Suites=phase2-suite-from-2.2.2.0/24-to-6.6.6.0/24 force
+C set [phase2-suite-from-2.2.2.0/24-to-6.6.6.0/24]:Protocols=phase2-protocol-from-2.2.2.0/24-to-6.6.6.0/24 force
+C set [phase2-protocol-from-2.2.2.0/24-to-6.6.6.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-6.6.6.0/24]:Transforms=phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -53,7 +83,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Phase=2 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Configuration=phase2-from-2.2.2.0/24-to-7.7.7.0/24 force
@@ -61,7 +97,16 @@ C set [from-2.2.2.0/24-to-7.7.7.0/24]:Local-ID=from-2.2.2.0/24 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:NAT-ID=nat-5.5.5.0/24 force
C set [from-2.2.2.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:Suites=phase2-suite-from-2.2.2.0/24-to-7.7.7.0/24 force
+C set [phase2-suite-from-2.2.2.0/24-to-7.7.7.0/24]:Protocols=phase2-protocol-from-2.2.2.0/24-to-7.7.7.0/24 force
+C set [phase2-protocol-from-2.2.2.0/24-to-7.7.7.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-2.2.2.0/24-to-7.7.7.0/24]:Transforms=phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-2.2.2.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-2.2.2.0/24]:Network=2.2.2.0 force
C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
@@ -77,14 +122,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Phase=2 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Configuration=phase2-from-3.3.3.0/24-to-5.5.5.0/24 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-5.5.5.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-5.5.5.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-5.5.5.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-5.5.5.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-5.5.5.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -97,14 +157,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Phase=2 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Configuration=phase2-from-3.3.3.0/24-to-6.6.6.0/24 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-6.6.6.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-6.6.6.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-6.6.6.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-6.6.6.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-6.6.6.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -117,14 +192,29 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Phase=2 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Configuration=phase2-from-3.3.3.0/24-to-7.7.7.0/24 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-7.7.7.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-7.7.7.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-7.7.7.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-7.7.7.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-7.7.7.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
@@ -137,7 +227,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Phase=2 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Configuration=phase2-from-4.4.4.0/24-to-5.5.5.0/24 force
@@ -145,7 +241,16 @@ C set [from-4.4.4.0/24-to-5.5.5.0/24]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:NAT-ID=nat-6.6.6.0/24 force
C set [from-4.4.4.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:Suites=phase2-suite-from-4.4.4.0/24-to-5.5.5.0/24 force
+C set [phase2-suite-from-4.4.4.0/24-to-5.5.5.0/24]:Protocols=phase2-protocol-from-4.4.4.0/24-to-5.5.5.0/24 force
+C set [phase2-protocol-from-4.4.4.0/24-to-5.5.5.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-5.5.5.0/24]:Transforms=phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-5.5.5.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
@@ -161,7 +266,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Phase=2 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Configuration=phase2-from-4.4.4.0/24-to-6.6.6.0/24 force
@@ -169,7 +280,16 @@ C set [from-4.4.4.0/24-to-6.6.6.0/24]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:NAT-ID=nat-6.6.6.0/24 force
C set [from-4.4.4.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:Suites=phase2-suite-from-4.4.4.0/24-to-6.6.6.0/24 force
+C set [phase2-suite-from-4.4.4.0/24-to-6.6.6.0/24]:Protocols=phase2-protocol-from-4.4.4.0/24-to-6.6.6.0/24 force
+C set [phase2-protocol-from-4.4.4.0/24-to-6.6.6.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-6.6.6.0/24]:Transforms=phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-6.6.6.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
@@ -185,7 +305,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Phase=2 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Configuration=phase2-from-4.4.4.0/24-to-7.7.7.0/24 force
@@ -193,7 +319,16 @@ C set [from-4.4.4.0/24-to-7.7.7.0/24]:Local-ID=from-4.4.4.0/24 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:NAT-ID=nat-6.6.6.0/24 force
C set [from-4.4.4.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:Suites=phase2-suite-from-4.4.4.0/24-to-7.7.7.0/24 force
+C set [phase2-suite-from-4.4.4.0/24-to-7.7.7.0/24]:Protocols=phase2-protocol-from-4.4.4.0/24-to-7.7.7.0/24 force
+C set [phase2-protocol-from-4.4.4.0/24-to-7.7.7.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-4.4.4.0/24-to-7.7.7.0/24]:Transforms=phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-4.4.4.0/24-to-7.7.7.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-4.4.4.0/24]:Network=4.4.4.0 force
C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
@@ -209,7 +344,13 @@ C set [peer-3ffe::51]:Phase=1 force
C set [peer-3ffe::51]:Address=3ffe::51 force
C set [peer-3ffe::51]:Configuration=phase1-peer-3ffe::51 force
C set [phase1-peer-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::51]:Transforms=phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Phase=2 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::51 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Configuration=phase2-from-3ffe:1::/64-to-3ffe:2::/64 force
@@ -217,7 +358,16 @@ C set [from-3ffe:1::/64-to-3ffe:2::/64]:Local-ID=from-3ffe:1::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:NAT-ID=nat-affe:1::/64 force
C set [from-3ffe:1::/64-to-3ffe:2::/64]:Remote-ID=to-3ffe:2::/64 force
C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-suite-from-3ffe:1::/64-to-3ffe:2::/64]:Protocols=phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3ffe:1::/64-to-3ffe:2::/64]:Transforms=phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3ffe:1::/64-to-3ffe:2::/64-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
C set [from-3ffe:1::/64]:Network=3ffe:1:: force
C set [from-3ffe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
diff --git a/regress/sbin/ipsecctl/ike62.ok b/regress/sbin/ipsecctl/ike62.ok
index c50b3a2f5e0..a911875e107 100644
--- a/regress/sbin/ipsecctl/ike62.ok
+++ b/regress/sbin/ipsecctl/ike62.ok
@@ -3,14 +3,29 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:Transforms=phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-2.2.2.2-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
@@ -20,14 +35,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-3.3.3.3-to-4.4.4.4]:Phase=2 force
C set [from-3.3.3.3-to-4.4.4.4]:ISAKMP-peer=peer-default force
C set [from-3.3.3.3-to-4.4.4.4]:Configuration=phase2-from-3.3.3.3-to-4.4.4.4 force
C set [from-3.3.3.3-to-4.4.4.4]:Local-ID=from-3.3.3.3 force
C set [from-3.3.3.3-to-4.4.4.4]:Remote-ID=to-4.4.4.4 force
C set [phase2-from-3.3.3.3-to-4.4.4.4]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.3-to-4.4.4.4]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.3-to-4.4.4.4]:Suites=phase2-suite-from-3.3.3.3-to-4.4.4.4 force
+C set [phase2-suite-from-3.3.3.3-to-4.4.4.4]:Protocols=phase2-protocol-from-3.3.3.3-to-4.4.4.4 force
+C set [phase2-protocol-from-3.3.3.3-to-4.4.4.4]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.3-to-4.4.4.4]:Transforms=phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.3-to-4.4.4.4-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.3]:ID-type=IPV4_ADDR force
C set [from-3.3.3.3]:Address=3.3.3.3 force
C set [to-4.4.4.4]:ID-type=IPV4_ADDR force
@@ -38,14 +68,29 @@ C set [peer-9.9.9.9]:Phase=1 force
C set [peer-9.9.9.9]:Address=9.9.9.9 force
C set [peer-9.9.9.9]:Configuration=phase1-peer-9.9.9.9 force
C set [phase1-peer-9.9.9.9]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-9.9.9.9]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-9.9.9.9]:Transforms=phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-9.9.9.9-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-5.5.5.5-to-6.6.6.6]:Phase=2 force
C set [from-5.5.5.5-to-6.6.6.6]:ISAKMP-peer=peer-9.9.9.9 force
C set [from-5.5.5.5-to-6.6.6.6]:Configuration=phase2-from-5.5.5.5-to-6.6.6.6 force
C set [from-5.5.5.5-to-6.6.6.6]:Local-ID=from-5.5.5.5 force
C set [from-5.5.5.5-to-6.6.6.6]:Remote-ID=to-6.6.6.6 force
C set [phase2-from-5.5.5.5-to-6.6.6.6]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-5.5.5.5-to-6.6.6.6]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-5.5.5.5-to-6.6.6.6]:Suites=phase2-suite-from-5.5.5.5-to-6.6.6.6 force
+C set [phase2-suite-from-5.5.5.5-to-6.6.6.6]:Protocols=phase2-protocol-from-5.5.5.5-to-6.6.6.6 force
+C set [phase2-protocol-from-5.5.5.5-to-6.6.6.6]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-5.5.5.5-to-6.6.6.6]:Transforms=phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-5.5.5.5-to-6.6.6.6-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-5.5.5.5]:ID-type=IPV4_ADDR force
C set [from-5.5.5.5]:Address=5.5.5.5 force
C set [to-6.6.6.6]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike63.ok b/regress/sbin/ipsecctl/ike63.ok
index e01e9f08789..fbd21f2e585 100644
--- a/regress/sbin/ipsecctl/ike63.ok
+++ b/regress/sbin/ipsecctl/ike63.ok
@@ -3,7 +3,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-1.1.1.1]:ID=id-2.2.2.2 force
C set [id-2.2.2.2]:ID-type=IPV4_ADDR force
C set [id-2.2.2.2]:Address=2.2.2.2 force
@@ -13,7 +19,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike64.ok b/regress/sbin/ipsecctl/ike64.ok
index e0beaef2c31..5b27be9d3c8 100644
--- a/regress/sbin/ipsecctl/ike64.ok
+++ b/regress/sbin/ipsecctl/ike64.ok
@@ -3,7 +3,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-1.1.1.1]:Remote-ID=id-1.1.1.1 force
C set [id-1.1.1.1]:ID-type=IPV4_ADDR force
C set [id-1.1.1.1]:Address=1.1.1.1 force
@@ -13,7 +19,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike65.ok b/regress/sbin/ipsecctl/ike65.ok
index e8bd73fcae1..e1f4cedc748 100644
--- a/regress/sbin/ipsecctl/ike65.ok
+++ b/regress/sbin/ipsecctl/ike65.ok
@@ -3,7 +3,13 @@ C set [peer-1.1.1.1]:Phase=1 force
C set [peer-1.1.1.1]:Address=1.1.1.1 force
C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-1.1.1.1]:Transforms=phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-1.1.1.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-1.1.1.1]:ID=id-2.2.2.2 force
C set [id-2.2.2.2]:ID-type=IPV4_ADDR force
C set [id-2.2.2.2]:Address=2.2.2.2 force
@@ -16,7 +22,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike66.ok b/regress/sbin/ipsecctl/ike66.ok
index 3c833ea79bf..c1de5e109fd 100644
--- a/regress/sbin/ipsecctl/ike66.ok
+++ b/regress/sbin/ipsecctl/ike66.ok
@@ -3,7 +3,13 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::1]:ID=id-3ffe::2 force
C set [id-3ffe::2]:ID-type=IPV6_ADDR force
C set [id-3ffe::2]:Address=3ffe::2 force
@@ -13,7 +19,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike67.ok b/regress/sbin/ipsecctl/ike67.ok
index 5b3db6e7541..5c8889a6b9b 100644
--- a/regress/sbin/ipsecctl/ike67.ok
+++ b/regress/sbin/ipsecctl/ike67.ok
@@ -3,7 +3,13 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::1]:Remote-ID=id-3ffe::1 force
C set [id-3ffe::1]:ID-type=IPV6_ADDR force
C set [id-3ffe::1]:Address=3ffe::1 force
@@ -13,7 +19,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike68.ok b/regress/sbin/ipsecctl/ike68.ok
index 020ce55fc2b..704f67791ac 100644
--- a/regress/sbin/ipsecctl/ike68.ok
+++ b/regress/sbin/ipsecctl/ike68.ok
@@ -3,7 +3,13 @@ C set [peer-3ffe::1]:Phase=1 force
C set [peer-3ffe::1]:Address=3ffe::1 force
C set [peer-3ffe::1]:Configuration=phase1-peer-3ffe::1 force
C set [phase1-peer-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-3ffe::1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-3ffe::1]:Transforms=phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-3ffe::1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-3ffe::1]:ID=id-3ffe::2 force
C set [id-3ffe::2]:ID-type=IPV6_ADDR force
C set [id-3ffe::2]:Address=3ffe::2 force
@@ -16,7 +22,16 @@ C set [from-10.1.1.0/24-to-10.1.2.0/24]:Configuration=phase2-from-10.1.1.0/24-to
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Local-ID=from-10.1.1.0/24 force
C set [from-10.1.1.0/24-to-10.1.2.0/24]:Remote-ID=to-10.1.2.0/24 force
C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.1.0/24-to-10.1.2.0/24]:Suites=phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-suite-from-10.1.1.0/24-to-10.1.2.0/24]:Protocols=phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24 force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.1.0/24-to-10.1.2.0/24]:Transforms=phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.1.0/24-to-10.1.2.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.1.0/24]:Network=10.1.1.0 force
C set [from-10.1.1.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ike7.ok b/regress/sbin/ipsecctl/ike7.ok
index 401a040aefc..40409913418 100644
--- a/regress/sbin/ipsecctl/ike7.ok
+++ b/regress/sbin/ipsecctl/ike7.ok
@@ -3,14 +3,29 @@ C set [peer-131.188.33.51]:Phase=1 force
C set [peer-131.188.33.51]:Address=131.188.33.51 force
C set [peer-131.188.33.51]:Configuration=phase1-peer-131.188.33.51 force
C set [phase1-peer-131.188.33.51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.51]:Transforms=phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Phase=2 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:ISAKMP-peer=peer-131.188.33.51 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Configuration=phase2-from-10.1.2.0/24-to-10.1.1.0/24 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Local-ID=from-10.1.2.0/24 force
C set [from-10.1.2.0/24-to-10.1.1.0/24]:Remote-ID=to-10.1.1.0/24 force
C set [phase2-from-10.1.2.0/24-to-10.1.1.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-10.1.2.0/24-to-10.1.1.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-10.1.2.0/24-to-10.1.1.0/24]:Suites=phase2-suite-from-10.1.2.0/24-to-10.1.1.0/24 force
+C set [phase2-suite-from-10.1.2.0/24-to-10.1.1.0/24]:Protocols=phase2-protocol-from-10.1.2.0/24-to-10.1.1.0/24 force
+C set [phase2-protocol-from-10.1.2.0/24-to-10.1.1.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-10.1.2.0/24-to-10.1.1.0/24]:Transforms=phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-10.1.2.0/24-to-10.1.1.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-10.1.2.0/24]:Network=10.1.2.0 force
C set [from-10.1.2.0/24]:Netmask=255.255.255.0 force
@@ -23,14 +38,29 @@ C set [peer-131.188.33.51]:Phase=1 force
C set [peer-131.188.33.51]:Address=131.188.33.51 force
C set [peer-131.188.33.51]:Configuration=phase1-peer-131.188.33.51 force
C set [phase1-peer-131.188.33.51]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-131.188.33.51]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-131.188.33.51]:Transforms=phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-131.188.33.51-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-131.188.33.29-to-131.188.33.51]:Phase=2 force
C set [from-131.188.33.29-to-131.188.33.51]:ISAKMP-peer=peer-131.188.33.51 force
C set [from-131.188.33.29-to-131.188.33.51]:Configuration=phase2-from-131.188.33.29-to-131.188.33.51 force
C set [from-131.188.33.29-to-131.188.33.51]:Local-ID=from-131.188.33.29 force
C set [from-131.188.33.29-to-131.188.33.51]:Remote-ID=to-131.188.33.51 force
C set [phase2-from-131.188.33.29-to-131.188.33.51]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-131.188.33.29-to-131.188.33.51]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-131.188.33.29-to-131.188.33.51]:Suites=phase2-suite-from-131.188.33.29-to-131.188.33.51 force
+C set [phase2-suite-from-131.188.33.29-to-131.188.33.51]:Protocols=phase2-protocol-from-131.188.33.29-to-131.188.33.51 force
+C set [phase2-protocol-from-131.188.33.29-to-131.188.33.51]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-131.188.33.29-to-131.188.33.51]:Transforms=phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-131.188.33.29-to-131.188.33.51-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-131.188.33.29]:ID-type=IPV4_ADDR force
C set [from-131.188.33.29]:Address=131.188.33.29 force
C set [to-131.188.33.51]:ID-type=IPV4_ADDR force
diff --git a/regress/sbin/ipsecctl/ike8.ok b/regress/sbin/ipsecctl/ike8.ok
index a79aff6fe83..bd0849627ed 100644
--- a/regress/sbin/ipsecctl/ike8.ok
+++ b/regress/sbin/ipsecctl/ike8.ok
@@ -3,14 +3,29 @@ C set [peer-192.168.3.1]:Phase=1 force
C set [peer-192.168.3.1]:Address=192.168.3.1 force
C set [peer-192.168.3.1]:Configuration=phase1-peer-192.168.3.1 force
C set [phase1-peer-192.168.3.1]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-192.168.3.1]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-192.168.3.1]:Transforms=phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-192.168.3.1-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-0.0.0.0/0]:Phase=2 force
C set [from-1.1.1.1-to-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Configuration=phase2-from-1.1.1.1-to-0.0.0.0/0 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-1.1.1.1-to-0.0.0.0/0]:Suites=phase2-suite-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-suite-from-1.1.1.1-to-0.0.0.0/0]:Protocols=phase2-protocol-from-1.1.1.1-to-0.0.0.0/0 force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-1.1.1.1-to-0.0.0.0/0]:Transforms=phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-1.1.1.1-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
C set [from-1.1.1.1]:Address=1.1.1.1 force
C set [to-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
diff --git a/regress/sbin/ipsecctl/ike9.ok b/regress/sbin/ipsecctl/ike9.ok
index 948fae49f87..1d6c6209b61 100644
--- a/regress/sbin/ipsecctl/ike9.ok
+++ b/regress/sbin/ipsecctl/ike9.ok
@@ -5,7 +5,13 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-2.2.2.2]:ID=id-noname.my.domain force
C set [id-noname.my.domain]:ID-type=FQDN force
C set [id-noname.my.domain]:Name=noname.my.domain force
@@ -15,7 +21,16 @@ C set [from-3.3.3.0/24-to-4.4.4.0/24]:Configuration=phase2-from-3.3.3.0/24-to-4.
C set [from-3.3.3.0/24-to-4.4.4.0/24]:Local-ID=from-3.3.3.0/24 force
C set [from-3.3.3.0/24-to-4.4.4.0/24]:Remote-ID=to-4.4.4.0/24 force
C set [phase2-from-3.3.3.0/24-to-4.4.4.0/24]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-3.3.3.0/24-to-4.4.4.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-3.3.3.0/24-to-4.4.4.0/24]:Suites=phase2-suite-from-3.3.3.0/24-to-4.4.4.0/24 force
+C set [phase2-suite-from-3.3.3.0/24-to-4.4.4.0/24]:Protocols=phase2-protocol-from-3.3.3.0/24-to-4.4.4.0/24 force
+C set [phase2-protocol-from-3.3.3.0/24-to-4.4.4.0/24]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-3.3.3.0/24-to-4.4.4.0/24]:Transforms=phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-3.3.3.0/24-to-4.4.4.0/24-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-3.3.3.0/24]:Network=3.3.3.0 force
C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
diff --git a/regress/sbin/ipsecctl/ikefail14.ok b/regress/sbin/ipsecctl/ikefail14.ok
index a5a88d31b2b..33c57e34409 100644
--- a/regress/sbin/ipsecctl/ikefail14.ok
+++ b/regress/sbin/ipsecctl/ikefail14.ok
@@ -13,7 +13,13 @@ C set [peer-default]:Local-address=1.1.1.1 force
C set [peer-default]:Authentication=secret force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-default]:ID=id-src.id force
C set [id-src.id]:ID-type=FQDN force
C set [id-src.id]:Name=src.id force
@@ -26,7 +32,16 @@ C set [from-0.0.0.0/0-to-0.0.0.0/0]:Configuration=phase2-from-0.0.0.0/0-to-0.0.0
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Local-ID=from-0.0.0.0/0 force
C set [from-0.0.0.0/0-to-0.0.0.0/0]:Remote-ID=to-0.0.0.0/0 force
C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-0.0.0.0/0-to-0.0.0.0/0]:Suites=phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-suite-from-0.0.0.0/0-to-0.0.0.0/0]:Protocols=phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0 force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-0.0.0.0/0-to-0.0.0.0/0]:Transforms=phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-0.0.0.0/0-to-0.0.0.0/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [from-0.0.0.0/0]:Network=0.0.0.0 force
C set [from-0.0.0.0/0]:Netmask=0.0.0.0 force
@@ -40,7 +55,13 @@ C set [peer-default]:Local-address=1.1.1.1 force
C set [peer-default]:Authentication=secret force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-default]:ID=id-src.id force
C set [id-src.id]:ID-type=FQDN force
C set [id-src.id]:Name=src.id force
@@ -53,7 +74,16 @@ C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
@@ -67,7 +97,13 @@ C set [peer-default]:Local-address=2.2.2.2 force
C set [peer-default]:Authentication=insecure force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=AGGRESSIVE force
-C add [phase1-peer-default]:Transforms=AES-SHA force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-PRE_SHARED-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [peer-default]:ID=id-src.wrong force
C set [id-src.wrong]:ID-type=FQDN force
C set [id-src.wrong]:Name=src.wrong force
@@ -80,7 +116,16 @@ C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
@@ -92,14 +137,29 @@ C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-default]:Transforms=phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-default-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-::/0-to-::/0]:Phase=2 force
C set [from-::/0-to-::/0]:ISAKMP-peer=peer-default force
C set [from-::/0-to-::/0]:Configuration=phase2-from-::/0-to-::/0 force
C set [from-::/0-to-::/0]:Local-ID=from-::/0 force
C set [from-::/0-to-::/0]:Remote-ID=to-::/0 force
C set [phase2-from-::/0-to-::/0]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-::/0-to-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [phase2-from-::/0-to-::/0]:Suites=phase2-suite-from-::/0-to-::/0 force
+C set [phase2-suite-from-::/0-to-::/0]:Protocols=phase2-protocol-from-::/0-to-::/0 force
+C set [phase2-protocol-from-::/0-to-::/0]:PROTOCOL_ID=IPSEC_ESP force
+C set [phase2-protocol-from-::/0-to-::/0]:Transforms=phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase2-transform-from-::/0-to-::/0-AES128,128:256-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force
C set [from-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0]:Network=:: force
C set [from-::/0]:Netmask=:: force
diff --git a/regress/sbin/ipsecctl/ikefail6.ok b/regress/sbin/ipsecctl/ikefail6.ok
index d71e7b12eea..f535103f3b1 100644
--- a/regress/sbin/ipsecctl/ikefail6.ok
+++ b/regress/sbin/ipsecctl/ikefail6.ok
@@ -4,11 +4,19 @@ C set [peer-2.2.2.2]:Phase=1 force
C set [peer-2.2.2.2]:Address=2.2.2.2 force
C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
-C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C add [phase1-peer-2.2.2.2]:Transforms=phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:HASH_ALGORITHM=SHA force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:KEY_LENGTH=128,128:256 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force
+C set [phase1-transform-peer-2.2.2.2-RSA_SIG-SHA-AES128,128:256-MODP_1024]:Life=LIFE_MAIN_MODE force
C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
-C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-AH- \ No newline at end of file
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=phase2-suite-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-suite-from-1.1.1.1-to-2.2.2.2]:Protocols=phase2-protocol-from-1.1.1.1-to-2.2.2.2 force
+C set [phase2-protocol-from-1.1.1.1-to-2.2.2.2]:PROTOCOL_ID=IPSEC_AH force
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-11 22:22:05 +0000