summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--regress/sbin/ipsecctl/Makefile32
-rw-r--r--regress/sbin/ipsecctl/ike15.in2
-rw-r--r--regress/sbin/ipsecctl/ike15.ok26
-rw-r--r--regress/sbin/ipsecctl/ike16.in8
-rw-r--r--regress/sbin/ipsecctl/ike16.ok50
-rw-r--r--regress/sbin/ipsecctl/ike17.in2
-rw-r--r--regress/sbin/ipsecctl/ike17.ok38
-rw-r--r--regress/sbin/ipsecctl/ike18.in2
-rw-r--r--regress/sbin/ipsecctl/ike18.ok38
-rw-r--r--regress/sbin/ipsecctl/ike19.in1
-rw-r--r--regress/sbin/ipsecctl/ike19.ok19
-rw-r--r--regress/sbin/ipsecctl/ike20.in2
-rw-r--r--regress/sbin/ipsecctl/ike20.ok40
-rw-r--r--regress/sbin/ipsecctl/ike21.in1
-rw-r--r--regress/sbin/ipsecctl/ike21.ok18
-rw-r--r--regress/sbin/ipsecctl/ike22.in1
-rw-r--r--regress/sbin/ipsecctl/ike22.ok20
-rw-r--r--regress/sbin/ipsecctl/ike23.in2
-rw-r--r--regress/sbin/ipsecctl/ike23.ok24
-rw-r--r--regress/sbin/ipsecctl/ike29.in1
-rw-r--r--regress/sbin/ipsecctl/ike29.ok25
-rw-r--r--regress/sbin/ipsecctl/ike30.in1
-rw-r--r--regress/sbin/ipsecctl/ike30.ok20
-rw-r--r--regress/sbin/ipsecctl/ike31.in1
-rw-r--r--regress/sbin/ipsecctl/ike31.ok19
-rw-r--r--regress/sbin/ipsecctl/ike32.in1
-rw-r--r--regress/sbin/ipsecctl/ike32.ok20
-rw-r--r--regress/sbin/ipsecctl/ike33.in1
-rw-r--r--regress/sbin/ipsecctl/ike33.ok20
-rw-r--r--regress/sbin/ipsecctl/ike34.in1
-rw-r--r--regress/sbin/ipsecctl/ike34.ok20
-rw-r--r--regress/sbin/ipsecctl/ike35.in1
-rw-r--r--regress/sbin/ipsecctl/ike35.ok20
-rw-r--r--regress/sbin/ipsecctl/ike36.in1
-rw-r--r--regress/sbin/ipsecctl/ike36.ok18
-rw-r--r--regress/sbin/ipsecctl/ike37.in2
-rw-r--r--regress/sbin/ipsecctl/ike37.ok26
-rw-r--r--regress/sbin/ipsecctl/ike38.in9
-rw-r--r--regress/sbin/ipsecctl/ike38.ok50
-rw-r--r--regress/sbin/ipsecctl/ike39.in2
-rw-r--r--regress/sbin/ipsecctl/ike39.ok38
-rw-r--r--regress/sbin/ipsecctl/ike40.in2
-rw-r--r--regress/sbin/ipsecctl/ike40.ok38
-rw-r--r--regress/sbin/ipsecctl/ikefail1.in1
-rw-r--r--regress/sbin/ipsecctl/ikefail1.ok2
-rw-r--r--regress/sbin/ipsecctl/ikefail2.in2
-rw-r--r--regress/sbin/ipsecctl/ikefail2.ok3
-rw-r--r--regress/sbin/ipsecctl/ipsec25.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec25.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec26.in3
-rw-r--r--regress/sbin/ipsecctl/ipsec26.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec27.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec27.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec28.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec28.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec29.in6
-rw-r--r--regress/sbin/ipsecctl/ipsec29.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec30.in3
-rw-r--r--regress/sbin/ipsecctl/ipsec30.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec31.in3
-rw-r--r--regress/sbin/ipsecctl/ipsec31.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec32.in3
-rw-r--r--regress/sbin/ipsecctl/ipsec32.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec33.in6
-rw-r--r--regress/sbin/ipsecctl/ipsec33.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec34.in14
-rw-r--r--regress/sbin/ipsecctl/ipsec34.ok14
-rw-r--r--regress/sbin/ipsecctl/ipsec35.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec35.ok1
-rw-r--r--regress/sbin/ipsecctl/ipsec36.in2
-rw-r--r--regress/sbin/ipsecctl/ipsec36.ok4
-rw-r--r--regress/sbin/ipsecctl/ipsec37.in5
-rw-r--r--regress/sbin/ipsecctl/ipsec37.ok6
-rw-r--r--regress/sbin/ipsecctl/ipsec38.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec38.ok1
-rw-r--r--regress/sbin/ipsecctl/ipsec39.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec39.ok1
-rw-r--r--regress/sbin/ipsecctl/ipsec40.in2
-rw-r--r--regress/sbin/ipsecctl/ipsec40.ok4
-rw-r--r--regress/sbin/ipsecctl/ipsec41.in7
-rw-r--r--regress/sbin/ipsecctl/ipsec41.ok14
-rw-r--r--regress/sbin/ipsecctl/ipsec42.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec42.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec43.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec43.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec44.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec44.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsec50.in1
-rw-r--r--regress/sbin/ipsecctl/ipsec50.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsecfail1.in1
-rw-r--r--regress/sbin/ipsecctl/ipsecfail1.ok2
-rw-r--r--regress/sbin/ipsecctl/ipsecfail2.in1
-rw-r--r--regress/sbin/ipsecctl/ipsecfail2.ok2
93 files changed, 810 insertions, 2 deletions
diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile
index 4f1fb06c536..0f662305c16 100644
--- a/regress/sbin/ipsecctl/Makefile
+++ b/regress/sbin/ipsecctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.22 2006/05/30 19:36:54 hshoexer Exp $
+# $OpenBSD: Makefile,v 1.23 2006/05/31 11:34:24 todd Exp $
# TARGETS
# ipsec: feed ipsecNN.in through ipsecctl and check wether the output matches
@@ -8,10 +8,16 @@
# ike: same as above, but for ike rules.
IPSECTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+IPSECTESTS+=25 26 27 28 29 30 31 32 33 34 35 36 37 38 40 41 42 43 44
+#IPSECTESTS+=39
TCPMD5TESTS=1 2 3
SATESTS=1 2 3 4 5 6 7 8 9 10 11 12
SAFAIL=1
-IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14
+IPSECFAIL=1 2
+IKEFAIL=1
+IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+#IKETESTS+=16 17 18 19 20 21 22 23 24
+#IKETESTS+=25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
SHELL=/bin/sh
@@ -49,6 +55,14 @@ safail${n}:
ipsecctl -nv -f - 2>&1 | diff -u ${.CURDIR}/safail${n}.ok /dev/stdin
.endfor
+.for n in ${IPSECFAIL}
+IPSECFAIL_TARGETS+=ipsecfail${n}
+
+ipsecfail${n}:
+ cat ${.CURDIR}/ipsecfail${n}.in | sed -e 's,DIR,${.CURDIR},g' | \
+ ipsecctl -nv -f - 2>&1 | diff -u ${.CURDIR}/ipsecfail${n}.ok /dev/stdin
+.endfor
+
.for n in ${IKETESTS}
IKE_TARGETS+=ike${n}
@@ -57,6 +71,14 @@ ike${n}:
ipsecctl -nv -f - | diff -u ${.CURDIR}/ike${n}.ok /dev/stdin
.endfor
+.for n in ${IKEFAIL}
+IKEFAIL_TARGETS+=ikefail${n}
+
+ikefail${n}:
+ cat ${.CURDIR}/ikefail${n}.in | sed -e 's,DIR,${.CURDIR},g' | \
+ ipsecctl -nv -f - 2>&1 | diff -u ${.CURDIR}/ikefail${n}.ok /dev/stdin
+.endfor
+
ipsec: ${IPSEC_TARGETS}
REGRESS_TARGETS+=ipsec
@@ -69,9 +91,15 @@ REGRESS_TARGETS+=sa
safail: ${SAFAIL_TARGETS}
REGRESS_TARGETS+=safail
+ipsecfail: ${IPSECFAIL_TARGETS}
+REGRESS_TARGETS+=ipsecfail
+
ike: ${IKE_TARGETS}
REGRESS_TARGETS+=ike
+ikefail: ${IKEFAIL_TARGETS}
+REGRESS_TARGETS+=ikefail
+
alltests: ${REGRESS_TARGETS}
.PHONY: ${REGRESS_TARGETS}
diff --git a/regress/sbin/ipsecctl/ike15.in b/regress/sbin/ipsecctl/ike15.in
new file mode 100644
index 00000000000..4470dc3b316
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike15.in
@@ -0,0 +1,2 @@
+ike from 10.1.1.0/24 to 10.1.2.0/24 peer 3ffe::1 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
diff --git a/regress/sbin/ipsecctl/ike15.ok b/regress/sbin/ipsecctl/ike15.ok
new file mode 100644
index 00000000000..5e69d1ec014
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike15.ok
@@ -0,0 +1,26 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::1]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::1]:Remote-ID=3ffe::1-ID force
+C set [3ffe::1-ID]:ID-type=FQDN force
+C set [3ffe::1-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Phase=2 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Configuration=qm-10.1.1.0/24-10.1.2.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Local-ID=lid-10.1.1.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Remote-ID=rid-10.1.2.0/24 force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.1.0/24]:Network=10.1.1.0 force
+C set [lid-10.1.1.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [rid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.1.1.0/24-10.1.2.0/24
diff --git a/regress/sbin/ipsecctl/ike16.in b/regress/sbin/ipsecctl/ike16.in
new file mode 100644
index 00000000000..bd4e41639f8
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike16.in
@@ -0,0 +1,8 @@
+ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 3ffe::29 \
+ main auth hmac-sha1 enc 3des group modp3072 \
+ quick auth hmac-sha1 enc 3des group modp3072 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
+ike esp from 3ffe::51 to 3ffe::29 \
+ main auth hmac-sha1 enc aes group modp3072 \
+ quick auth hmac-sha2-256 enc aes group modp3072 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
diff --git a/regress/sbin/ipsecctl/ike16.ok b/regress/sbin/ipsecctl/ike16.ok
new file mode 100644
index 00000000000..b3e0098857d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike16.ok
@@ -0,0 +1,50 @@
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=3DES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::29]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::29]:Remote-ID=3ffe::29-ID force
+C set [3ffe::29-ID]:ID-type=FQDN force
+C set [3ffe::29-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Phase=2 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Configuration=qm-10.1.1.0/24-10.1.2.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Local-ID=lid-10.1.1.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Remote-ID=rid-10.1.2.0/24 force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:Suites=QM-ESP-3DES-SHA-PFS-GRP15-SUITE force
+C set [lid-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.1.0/24]:Network=10.1.1.0 force
+C set [lid-10.1.1.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [rid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.1.1.0/24-10.1.2.0/24
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::29]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::29]:Remote-ID=3ffe::29-ID force
+C set [3ffe::29-ID]:ID-type=FQDN force
+C set [3ffe::29-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-3ffe::51-3ffe::29]:Phase=2 force
+C set [IPsec-3ffe::51-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Configuration=qm-3ffe::51-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Local-ID=lid-3ffe::51 force
+C set [IPsec-3ffe::51-3ffe::29]:Remote-ID=rid-3ffe::29 force
+C set [qm-3ffe::51-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::51-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::51]:Address=3ffe::51 force
+C set [rid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::29]:Address=3ffe::29 force
+C add [Phase 2]:Connections=IPsec-3ffe::51-3ffe::29
diff --git a/regress/sbin/ipsecctl/ike17.in b/regress/sbin/ipsecctl/ike17.in
new file mode 100644
index 00000000000..60cc40a8538
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike17.in
@@ -0,0 +1,2 @@
+ike from 10.1.1.0/24 to 10.1.2.0/24 peer 3ffe::29
+ike from 3ffe::51 to 3ffe::29
diff --git a/regress/sbin/ipsecctl/ike17.ok b/regress/sbin/ipsecctl/ike17.ok
new file mode 100644
index 00000000000..242622d29d1
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike17.ok
@@ -0,0 +1,38 @@
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Phase=2 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Configuration=qm-10.1.1.0/24-10.1.2.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Local-ID=lid-10.1.1.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Remote-ID=rid-10.1.2.0/24 force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.1.0/24]:Network=10.1.1.0 force
+C set [lid-10.1.1.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [rid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.1.1.0/24-10.1.2.0/24
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::51-3ffe::29]:Phase=2 force
+C set [IPsec-3ffe::51-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Configuration=qm-3ffe::51-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Local-ID=lid-3ffe::51 force
+C set [IPsec-3ffe::51-3ffe::29]:Remote-ID=rid-3ffe::29 force
+C set [qm-3ffe::51-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::51-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::51]:Address=3ffe::51 force
+C set [rid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::29]:Address=3ffe::29 force
+C add [Phase 2]:Connections=IPsec-3ffe::51-3ffe::29
diff --git a/regress/sbin/ipsecctl/ike18.in b/regress/sbin/ipsecctl/ike18.in
new file mode 100644
index 00000000000..7fabcbf797a
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike18.in
@@ -0,0 +1,2 @@
+ike passive from 10.1.2.0/24 to 10.1.1.0/24 peer 3ffe::51
+ike passive from 3ffe::29 to 3ffe::51
diff --git a/regress/sbin/ipsecctl/ike18.ok b/regress/sbin/ipsecctl/ike18.ok
new file mode 100644
index 00000000000..0b7e7200e43
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike18.ok
@@ -0,0 +1,38 @@
+C set [Phase 1]:3ffe::51=peer-3ffe::51 force
+C set [peer-3ffe::51]:Phase=1 force
+C set [peer-3ffe::51]:Address=3ffe::51 force
+C set [peer-3ffe::51]:Configuration=mm-3ffe::51 force
+C set [mm-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::51]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-10.1.2.0/24-10.1.1.0/24]:Phase=2 force
+C set [IPsec-10.1.2.0/24-10.1.1.0/24]:ISAKMP-peer=peer-3ffe::51 force
+C set [IPsec-10.1.2.0/24-10.1.1.0/24]:Configuration=qm-10.1.2.0/24-10.1.1.0/24 force
+C set [IPsec-10.1.2.0/24-10.1.1.0/24]:Local-ID=lid-10.1.2.0/24 force
+C set [IPsec-10.1.2.0/24-10.1.1.0/24]:Remote-ID=rid-10.1.1.0/24 force
+C set [qm-10.1.2.0/24-10.1.1.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.2.0/24-10.1.1.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [lid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.1.0/24]:Network=10.1.1.0 force
+C set [rid-10.1.1.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Passive-Connections=IPsec-10.1.2.0/24-10.1.1.0/24
+C set [Phase 1]:3ffe::51=peer-3ffe::51 force
+C set [peer-3ffe::51]:Phase=1 force
+C set [peer-3ffe::51]:Address=3ffe::51 force
+C set [peer-3ffe::51]:Configuration=mm-3ffe::51 force
+C set [mm-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::51]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::29-3ffe::51]:Phase=2 force
+C set [IPsec-3ffe::29-3ffe::51]:ISAKMP-peer=peer-3ffe::51 force
+C set [IPsec-3ffe::29-3ffe::51]:Configuration=qm-3ffe::29-3ffe::51 force
+C set [IPsec-3ffe::29-3ffe::51]:Local-ID=lid-3ffe::29 force
+C set [IPsec-3ffe::29-3ffe::51]:Remote-ID=rid-3ffe::51 force
+C set [qm-3ffe::29-3ffe::51]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::29-3ffe::51]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::29]:Address=3ffe::29 force
+C set [rid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::51]:Address=3ffe::51 force
+C add [Phase 2]:Passive-Connections=IPsec-3ffe::29-3ffe::51
diff --git a/regress/sbin/ipsecctl/ike19.in b/regress/sbin/ipsecctl/ike19.in
new file mode 100644
index 00000000000..d4e3fdb1df8
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike19.in
@@ -0,0 +1 @@
+ike from 1.1.1.1 to any peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ike19.ok b/regress/sbin/ipsecctl/ike19.ok
new file mode 100644
index 00000000000..854aa89d9b9
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike19.ok
@@ -0,0 +1,19 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Phase=2 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Configuration=qm-1.1.1.1-0.0.0.0/0 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
+C set [qm-1.1.1.1-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [lid-1.1.1.1]:Address=1.1.1.1 force
+C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
+C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
+C add [Phase 2]:Connections=IPsec-1.1.1.1-0.0.0.0/0
diff --git a/regress/sbin/ipsecctl/ike20.in b/regress/sbin/ipsecctl/ike20.in
new file mode 100644
index 00000000000..c7f1d04ad70
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike20.in
@@ -0,0 +1,2 @@
+ike from 1.1.1.1 to any local 192.168.3.2 peer 192.168.3.1
+ike from 1.1.1.1 to any peer 192.168.3.1 local 192.168.3.2
diff --git a/regress/sbin/ipsecctl/ike20.ok b/regress/sbin/ipsecctl/ike20.ok
new file mode 100644
index 00000000000..960af35a974
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike20.ok
@@ -0,0 +1,40 @@
+C set [Phase 1]:192.168.3.1=peer-192.168.3.1 force
+C set [peer-192.168.3.1]:Phase=1 force
+C set [peer-192.168.3.1]:Address=192.168.3.1 force
+C set [peer-192.168.3.1]:Local-address=192.168.3.2 force
+C set [peer-192.168.3.1]:Configuration=mm-192.168.3.1 force
+C set [mm-192.168.3.1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-192.168.3.1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Phase=2 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Configuration=qm-1.1.1.1-0.0.0.0/0 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
+C set [qm-1.1.1.1-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [lid-1.1.1.1]:Address=1.1.1.1 force
+C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
+C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
+C add [Phase 2]:Connections=IPsec-1.1.1.1-0.0.0.0/0
+C set [Phase 1]:192.168.3.1=peer-192.168.3.1 force
+C set [peer-192.168.3.1]:Phase=1 force
+C set [peer-192.168.3.1]:Address=192.168.3.1 force
+C set [peer-192.168.3.1]:Local-address=192.168.3.2 force
+C set [peer-192.168.3.1]:Configuration=mm-192.168.3.1 force
+C set [mm-192.168.3.1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-192.168.3.1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Phase=2 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:ISAKMP-peer=peer-192.168.3.1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Configuration=qm-1.1.1.1-0.0.0.0/0 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Local-ID=lid-1.1.1.1 force
+C set [IPsec-1.1.1.1-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
+C set [qm-1.1.1.1-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-1.1.1.1-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [lid-1.1.1.1]:Address=1.1.1.1 force
+C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
+C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
+C add [Phase 2]:Connections=IPsec-1.1.1.1-0.0.0.0/0
diff --git a/regress/sbin/ipsecctl/ike21.in b/regress/sbin/ipsecctl/ike21.in
new file mode 100644
index 00000000000..213c71e19fc
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike21.in
@@ -0,0 +1 @@
+ike from 3ffe::1 to 3ffe::2
diff --git a/regress/sbin/ipsecctl/ike21.ok b/regress/sbin/ipsecctl/ike21.ok
new file mode 100644
index 00000000000..37519a126aa
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike21.ok
@@ -0,0 +1,18 @@
+C set [Phase 1]:3ffe::2=peer-3ffe::2 force
+C set [peer-3ffe::2]:Phase=1 force
+C set [peer-3ffe::2]:Address=3ffe::2 force
+C set [peer-3ffe::2]:Configuration=mm-3ffe::2 force
+C set [mm-3ffe::2]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::2]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::1-3ffe::2]:Phase=2 force
+C set [IPsec-3ffe::1-3ffe::2]:ISAKMP-peer=peer-3ffe::2 force
+C set [IPsec-3ffe::1-3ffe::2]:Configuration=qm-3ffe::1-3ffe::2 force
+C set [IPsec-3ffe::1-3ffe::2]:Local-ID=lid-3ffe::1 force
+C set [IPsec-3ffe::1-3ffe::2]:Remote-ID=rid-3ffe::2 force
+C set [qm-3ffe::1-3ffe::2]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::1-3ffe::2]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::1]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::1]:Address=3ffe::1 force
+C set [rid-3ffe::2]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::2]:Address=3ffe::2 force
+C add [Phase 2]:Connections=IPsec-3ffe::1-3ffe::2
diff --git a/regress/sbin/ipsecctl/ike22.in b/regress/sbin/ipsecctl/ike22.in
new file mode 100644
index 00000000000..ddc4a19e1a7
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike22.in
@@ -0,0 +1 @@
+ike from 10.1.1.0/24 to 10.1.2.0/24 peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ike22.ok b/regress/sbin/ipsecctl/ike22.ok
new file mode 100644
index 00000000000..bd769d1ac59
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike22.ok
@@ -0,0 +1,20 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Phase=2 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Configuration=qm-10.1.1.0/24-10.1.2.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Local-ID=lid-10.1.1.0/24 force
+C set [IPsec-10.1.1.0/24-10.1.2.0/24]:Remote-ID=rid-10.1.2.0/24 force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.1.0/24-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-10.1.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.1.0/24]:Network=10.1.1.0 force
+C set [lid-10.1.1.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [rid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.1.1.0/24-10.1.2.0/24
diff --git a/regress/sbin/ipsecctl/ike23.in b/regress/sbin/ipsecctl/ike23.in
new file mode 100644
index 00000000000..2b129c8f2fe
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike23.in
@@ -0,0 +1,2 @@
+ike from 3ffe::51 to 3ffe::29 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
diff --git a/regress/sbin/ipsecctl/ike23.ok b/regress/sbin/ipsecctl/ike23.ok
new file mode 100644
index 00000000000..6e87e0a8d8d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike23.ok
@@ -0,0 +1,24 @@
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::29]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::29]:Remote-ID=3ffe::29-ID force
+C set [3ffe::29-ID]:ID-type=FQDN force
+C set [3ffe::29-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-3ffe::51-3ffe::29]:Phase=2 force
+C set [IPsec-3ffe::51-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Configuration=qm-3ffe::51-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Local-ID=lid-3ffe::51 force
+C set [IPsec-3ffe::51-3ffe::29]:Remote-ID=rid-3ffe::29 force
+C set [qm-3ffe::51-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::51-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::51]:Address=3ffe::51 force
+C set [rid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::29]:Address=3ffe::29 force
+C add [Phase 2]:Connections=IPsec-3ffe::51-3ffe::29
diff --git a/regress/sbin/ipsecctl/ike29.in b/regress/sbin/ipsecctl/ike29.in
new file mode 100644
index 00000000000..d3f6c5b81a6
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike29.in
@@ -0,0 +1 @@
+ike dynamic esp from 3ffe:3::/64 to 3ffe:4::/64 peer 3ffe:2::1 srcid noname.my.domain
diff --git a/regress/sbin/ipsecctl/ike29.ok b/regress/sbin/ipsecctl/ike29.ok
new file mode 100644
index 00000000000..1cd78d69812
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike29.ok
@@ -0,0 +1,25 @@
+C set [General]:Check-interval=30 force
+C set [General]:DPD-check-interval=5 force
+C set [Phase 1]:3ffe:2::1=peer-3ffe:2::1 force
+C set [peer-3ffe:2::1]:Phase=1 force
+C set [peer-3ffe:2::1]:Address=3ffe:2::1 force
+C set [peer-3ffe:2::1]:Configuration=mm-3ffe:2::1 force
+C set [mm-3ffe:2::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe:2::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe:2::1]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=noname.my.domain force
+C set [IPsec-3ffe:3::/64-3ffe:4::/64]:Phase=2 force
+C set [IPsec-3ffe:3::/64-3ffe:4::/64]:ISAKMP-peer=peer-3ffe:2::1 force
+C set [IPsec-3ffe:3::/64-3ffe:4::/64]:Configuration=qm-3ffe:3::/64-3ffe:4::/64 force
+C set [IPsec-3ffe:3::/64-3ffe:4::/64]:Local-ID=lid-3ffe:3::/64 force
+C set [IPsec-3ffe:3::/64-3ffe:4::/64]:Remote-ID=rid-3ffe:4::/64 force
+C set [qm-3ffe:3::/64-3ffe:4::/64]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe:3::/64-3ffe:4::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe:3::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe:3::/64]:Network=3ffe:3:: force
+C set [lid-3ffe:3::/64]:Netmask=255.255.255.255 force
+C set [rid-3ffe:4::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe:4::/64]:Network=3ffe:4:: force
+C set [rid-3ffe:4::/64]:Netmask=255.255.255.255 force
+C add [Phase 2]:Connections=IPsec-3ffe:3::/64-3ffe:4::/64
diff --git a/regress/sbin/ipsecctl/ike30.in b/regress/sbin/ipsecctl/ike30.in
new file mode 100644
index 00000000000..c09a378cdf9
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike30.in
@@ -0,0 +1 @@
+ike esp proto etherip from 3ffe::1 to 3ffe::2
diff --git a/regress/sbin/ipsecctl/ike30.ok b/regress/sbin/ipsecctl/ike30.ok
new file mode 100644
index 00000000000..4e31e8b6fdc
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike30.ok
@@ -0,0 +1,20 @@
+C set [Phase 1]:3ffe::2=peer-3ffe::2 force
+C set [peer-3ffe::2]:Phase=1 force
+C set [peer-3ffe::2]:Address=3ffe::2 force
+C set [peer-3ffe::2]:Configuration=mm-3ffe::2 force
+C set [mm-3ffe::2]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::2]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::1-3ffe::2]:Phase=2 force
+C set [IPsec-3ffe::1-3ffe::2]:ISAKMP-peer=peer-3ffe::2 force
+C set [IPsec-3ffe::1-3ffe::2]:Configuration=qm-3ffe::1-3ffe::2 force
+C set [IPsec-3ffe::1-3ffe::2]:Local-ID=lid-3ffe::1 force
+C set [IPsec-3ffe::1-3ffe::2]:Remote-ID=rid-3ffe::2 force
+C set [qm-3ffe::1-3ffe::2]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::1-3ffe::2]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::1]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::1]:Address=3ffe::1 force
+C set [rid-3ffe::2]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::2]:Address=3ffe::2 force
+C set [lid-3ffe::1]:Protocol=97 force
+C set [rid-3ffe::2]:Protocol=97 force
+C add [Phase 2]:Connections=IPsec-3ffe::1-3ffe::2
diff --git a/regress/sbin/ipsecctl/ike31.in b/regress/sbin/ipsecctl/ike31.in
new file mode 100644
index 00000000000..c818df63fbd
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike31.in
@@ -0,0 +1 @@
+ike from 3ffe:2::1 to any peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ike31.ok b/regress/sbin/ipsecctl/ike31.ok
new file mode 100644
index 00000000000..46c7bdb7e8f
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike31.ok
@@ -0,0 +1,19 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe:2::1-::/0]:Phase=2 force
+C set [IPsec-3ffe:2::1-::/0]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-3ffe:2::1-::/0]:Configuration=qm-3ffe:2::1-::/0 force
+C set [IPsec-3ffe:2::1-::/0]:Local-ID=lid-3ffe:2::1 force
+C set [IPsec-3ffe:2::1-::/0]:Remote-ID=rid-::/0 force
+C set [qm-3ffe:2::1-::/0]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe:2::1-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe:2::1]:ID-type=IPV6_ADDR force
+C set [lid-3ffe:2::1]:Address=3ffe:2::1 force
+C set [rid-::/0]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-::/0]:Network=0.0.0.0 force
+C set [rid-::/0]:Netmask=0.0.0.0 force
+C add [Phase 2]:Connections=IPsec-3ffe:2::1-::/0
diff --git a/regress/sbin/ipsecctl/ike32.in b/regress/sbin/ipsecctl/ike32.in
new file mode 100644
index 00000000000..8ad27e31ef7
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike32.in
@@ -0,0 +1 @@
+ike from 3ffe::1/24 to 10.1.2.0/24 peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ike32.ok b/regress/sbin/ipsecctl/ike32.ok
new file mode 100644
index 00000000000..a7981fb0a90
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike32.ok
@@ -0,0 +1,20 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Phase=2 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Configuration=qm-3ffe::1/24-10.1.2.0/24 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Local-ID=lid-3ffe::1/24 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Remote-ID=rid-10.1.2.0/24 force
+C set [qm-3ffe::1/24-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::1/24-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe::1/24]:Network=3ffe::1 force
+C set [lid-3ffe::1/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [rid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-3ffe::1/24-10.1.2.0/24
diff --git a/regress/sbin/ipsecctl/ike33.in b/regress/sbin/ipsecctl/ike33.in
new file mode 100644
index 00000000000..db240853665
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike33.in
@@ -0,0 +1 @@
+ike from 10.1.2.0/24 to 3ffe::1/24 peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ike33.ok b/regress/sbin/ipsecctl/ike33.ok
new file mode 100644
index 00000000000..40089d0be3a
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike33.ok
@@ -0,0 +1,20 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Phase=2 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Configuration=qm-10.1.2.0/24-3ffe::1/24 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Local-ID=lid-10.1.2.0/24 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Remote-ID=rid-3ffe::1/24 force
+C set [qm-10.1.2.0/24-3ffe::1/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.2.0/24-3ffe::1/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [lid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C set [rid-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe::1/24]:Network=3ffe::1 force
+C set [rid-3ffe::1/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.1.2.0/24-3ffe::1/24
diff --git a/regress/sbin/ipsecctl/ike34.in b/regress/sbin/ipsecctl/ike34.in
new file mode 100644
index 00000000000..a0375f0c14c
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike34.in
@@ -0,0 +1 @@
+ike from 3ffe::1/24 to 10.1.2.0/24 peer 1.2.3.4
diff --git a/regress/sbin/ipsecctl/ike34.ok b/regress/sbin/ipsecctl/ike34.ok
new file mode 100644
index 00000000000..45c129ad0db
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike34.ok
@@ -0,0 +1,20 @@
+C set [Phase 1]:1.2.3.4=peer-1.2.3.4 force
+C set [peer-1.2.3.4]:Phase=1 force
+C set [peer-1.2.3.4]:Address=1.2.3.4 force
+C set [peer-1.2.3.4]:Configuration=mm-1.2.3.4 force
+C set [mm-1.2.3.4]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-1.2.3.4]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Phase=2 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:ISAKMP-peer=peer-1.2.3.4 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Configuration=qm-3ffe::1/24-10.1.2.0/24 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Local-ID=lid-3ffe::1/24 force
+C set [IPsec-3ffe::1/24-10.1.2.0/24]:Remote-ID=rid-10.1.2.0/24 force
+C set [qm-3ffe::1/24-10.1.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::1/24-10.1.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe::1/24]:Network=3ffe::1 force
+C set [lid-3ffe::1/24]:Netmask=255.255.255.0 force
+C set [rid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [rid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-3ffe::1/24-10.1.2.0/24
diff --git a/regress/sbin/ipsecctl/ike35.in b/regress/sbin/ipsecctl/ike35.in
new file mode 100644
index 00000000000..ff23b4ad183
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike35.in
@@ -0,0 +1 @@
+ike from 10.1.2.0/24 to 3ffe::1/24 peer 1.2.3.4
diff --git a/regress/sbin/ipsecctl/ike35.ok b/regress/sbin/ipsecctl/ike35.ok
new file mode 100644
index 00000000000..147cb9fa6ff
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike35.ok
@@ -0,0 +1,20 @@
+C set [Phase 1]:1.2.3.4=peer-1.2.3.4 force
+C set [peer-1.2.3.4]:Phase=1 force
+C set [peer-1.2.3.4]:Address=1.2.3.4 force
+C set [peer-1.2.3.4]:Configuration=mm-1.2.3.4 force
+C set [mm-1.2.3.4]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-1.2.3.4]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Phase=2 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:ISAKMP-peer=peer-1.2.3.4 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Configuration=qm-10.1.2.0/24-3ffe::1/24 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Local-ID=lid-10.1.2.0/24 force
+C set [IPsec-10.1.2.0/24-3ffe::1/24]:Remote-ID=rid-3ffe::1/24 force
+C set [qm-10.1.2.0/24-3ffe::1/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.1.2.0/24-3ffe::1/24]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-10.1.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.1.2.0/24]:Network=10.1.2.0 force
+C set [lid-10.1.2.0/24]:Netmask=255.255.255.0 force
+C set [rid-3ffe::1/24]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe::1/24]:Network=3ffe::1 force
+C set [rid-3ffe::1/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.1.2.0/24-3ffe::1/24
diff --git a/regress/sbin/ipsecctl/ike36.in b/regress/sbin/ipsecctl/ike36.in
new file mode 100644
index 00000000000..ae00f247248
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike36.in
@@ -0,0 +1 @@
+ike from 3ffe::3 to 3ffe::4 peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ike36.ok b/regress/sbin/ipsecctl/ike36.ok
new file mode 100644
index 00000000000..1336ed16326
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike36.ok
@@ -0,0 +1,18 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::3-3ffe::4]:Phase=2 force
+C set [IPsec-3ffe::3-3ffe::4]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-3ffe::3-3ffe::4]:Configuration=qm-3ffe::3-3ffe::4 force
+C set [IPsec-3ffe::3-3ffe::4]:Local-ID=lid-3ffe::3 force
+C set [IPsec-3ffe::3-3ffe::4]:Remote-ID=rid-3ffe::4 force
+C set [qm-3ffe::3-3ffe::4]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::3-3ffe::4]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::3]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::3]:Address=3ffe::3 force
+C set [rid-3ffe::4]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::4]:Address=3ffe::4 force
+C add [Phase 2]:Connections=IPsec-3ffe::3-3ffe::4
diff --git a/regress/sbin/ipsecctl/ike37.in b/regress/sbin/ipsecctl/ike37.in
new file mode 100644
index 00000000000..dad86107c50
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike37.in
@@ -0,0 +1,2 @@
+ike from 3ffe:1::/64 to 3ffe:2::/64 peer 3ffe::1 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
diff --git a/regress/sbin/ipsecctl/ike37.ok b/regress/sbin/ipsecctl/ike37.ok
new file mode 100644
index 00000000000..7ad638ee1b4
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike37.ok
@@ -0,0 +1,26 @@
+C set [Phase 1]:3ffe::1=peer-3ffe::1 force
+C set [peer-3ffe::1]:Phase=1 force
+C set [peer-3ffe::1]:Address=3ffe::1 force
+C set [peer-3ffe::1]:Configuration=mm-3ffe::1 force
+C set [mm-3ffe::1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::1]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::1]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::1]:Remote-ID=3ffe::1-ID force
+C set [3ffe::1-ID]:ID-type=FQDN force
+C set [3ffe::1-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Phase=2 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::1 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Configuration=qm-3ffe:1::/64-3ffe:2::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Local-ID=lid-3ffe:1::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Remote-ID=rid-3ffe:2::/64 force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe:1::/64]:Network=3ffe:1:: force
+C set [lid-3ffe:1::/64]:Netmask=255.255.255.255 force
+C set [rid-3ffe:2::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe:2::/64]:Network=3ffe:2:: force
+C set [rid-3ffe:2::/64]:Netmask=255.255.255.255 force
+C add [Phase 2]:Connections=IPsec-3ffe:1::/64-3ffe:2::/64
diff --git a/regress/sbin/ipsecctl/ike38.in b/regress/sbin/ipsecctl/ike38.in
new file mode 100644
index 00000000000..2f0968bc08b
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike38.in
@@ -0,0 +1,9 @@
+ike esp from 3ffe:1::/64 to 3ffe:2::/64 peer 3ffe::29 \
+ main auth hmac-sha1 enc 3des group modp3072 \
+ quick auth hmac-sha1 enc 3des group modp3072 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
+ike esp from 3ffe::51 to 3ffe::29 \
+ main auth hmac-sha1 enc aes group modp3072 \
+ quick auth hmac-sha2-256 enc aes group modp3072 \
+ srcid sharleena.as10.net dstid faui31o.informatik.uni-erlangen.de
+
diff --git a/regress/sbin/ipsecctl/ike38.ok b/regress/sbin/ipsecctl/ike38.ok
new file mode 100644
index 00000000000..9f8e3987a89
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike38.ok
@@ -0,0 +1,50 @@
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=3DES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::29]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::29]:Remote-ID=3ffe::29-ID force
+C set [3ffe::29-ID]:ID-type=FQDN force
+C set [3ffe::29-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Phase=2 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Configuration=qm-3ffe:1::/64-3ffe:2::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Local-ID=lid-3ffe:1::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Remote-ID=rid-3ffe:2::/64 force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:Suites=QM-ESP-3DES-SHA-PFS-GRP15-SUITE force
+C set [lid-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe:1::/64]:Network=3ffe:1:: force
+C set [lid-3ffe:1::/64]:Netmask=255.255.255.255 force
+C set [rid-3ffe:2::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe:2::/64]:Network=3ffe:2:: force
+C set [rid-3ffe:2::/64]:Netmask=255.255.255.255 force
+C add [Phase 2]:Connections=IPsec-3ffe:1::/64-3ffe:2::/64
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [peer-3ffe::29]:ID=local-ID force
+C set [local-ID]:ID-type=FQDN force
+C set [local-ID]:Name=sharleena.as10.net force
+C set [peer-3ffe::29]:Remote-ID=3ffe::29-ID force
+C set [3ffe::29-ID]:ID-type=FQDN force
+C set [3ffe::29-ID]:Name=faui31o.informatik.uni-erlangen.de force
+C set [IPsec-3ffe::51-3ffe::29]:Phase=2 force
+C set [IPsec-3ffe::51-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Configuration=qm-3ffe::51-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Local-ID=lid-3ffe::51 force
+C set [IPsec-3ffe::51-3ffe::29]:Remote-ID=rid-3ffe::29 force
+C set [qm-3ffe::51-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::51-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::51]:Address=3ffe::51 force
+C set [rid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::29]:Address=3ffe::29 force
+C add [Phase 2]:Connections=IPsec-3ffe::51-3ffe::29
diff --git a/regress/sbin/ipsecctl/ike39.in b/regress/sbin/ipsecctl/ike39.in
new file mode 100644
index 00000000000..b1c9c036f45
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike39.in
@@ -0,0 +1,2 @@
+ike from 3ffe:1::/64 to 3ffe:2::/64 peer 3ffe::29
+ike from 3ffe::51 to 3ffe::29
diff --git a/regress/sbin/ipsecctl/ike39.ok b/regress/sbin/ipsecctl/ike39.ok
new file mode 100644
index 00000000000..0c29945db02
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike39.ok
@@ -0,0 +1,38 @@
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Phase=2 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Configuration=qm-3ffe:1::/64-3ffe:2::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Local-ID=lid-3ffe:1::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Remote-ID=rid-3ffe:2::/64 force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe:1::/64]:Network=3ffe:1:: force
+C set [lid-3ffe:1::/64]:Netmask=255.255.255.255 force
+C set [rid-3ffe:2::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe:2::/64]:Network=3ffe:2:: force
+C set [rid-3ffe:2::/64]:Netmask=255.255.255.255 force
+C add [Phase 2]:Connections=IPsec-3ffe:1::/64-3ffe:2::/64
+C set [Phase 1]:3ffe::29=peer-3ffe::29 force
+C set [peer-3ffe::29]:Phase=1 force
+C set [peer-3ffe::29]:Address=3ffe::29 force
+C set [peer-3ffe::29]:Configuration=mm-3ffe::29 force
+C set [mm-3ffe::29]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::29]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::51-3ffe::29]:Phase=2 force
+C set [IPsec-3ffe::51-3ffe::29]:ISAKMP-peer=peer-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Configuration=qm-3ffe::51-3ffe::29 force
+C set [IPsec-3ffe::51-3ffe::29]:Local-ID=lid-3ffe::51 force
+C set [IPsec-3ffe::51-3ffe::29]:Remote-ID=rid-3ffe::29 force
+C set [qm-3ffe::51-3ffe::29]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::51-3ffe::29]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::51]:Address=3ffe::51 force
+C set [rid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::29]:Address=3ffe::29 force
+C add [Phase 2]:Connections=IPsec-3ffe::51-3ffe::29
diff --git a/regress/sbin/ipsecctl/ike40.in b/regress/sbin/ipsecctl/ike40.in
new file mode 100644
index 00000000000..a9d288e7b80
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike40.in
@@ -0,0 +1,2 @@
+ike passive from 3ffe:1::/64 to 3ffe:2::/64 peer 3ffe::51
+ike passive from 3ffe::29 to 3ffe::51
diff --git a/regress/sbin/ipsecctl/ike40.ok b/regress/sbin/ipsecctl/ike40.ok
new file mode 100644
index 00000000000..2df6a5e8590
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike40.ok
@@ -0,0 +1,38 @@
+C set [Phase 1]:3ffe::51=peer-3ffe::51 force
+C set [peer-3ffe::51]:Phase=1 force
+C set [peer-3ffe::51]:Address=3ffe::51 force
+C set [peer-3ffe::51]:Configuration=mm-3ffe::51 force
+C set [mm-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::51]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Phase=2 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::51 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Configuration=qm-3ffe:1::/64-3ffe:2::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Local-ID=lid-3ffe:1::/64 force
+C set [IPsec-3ffe:1::/64-3ffe:2::/64]:Remote-ID=rid-3ffe:2::/64 force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe:1::/64-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [lid-3ffe:1::/64]:Network=3ffe:1:: force
+C set [lid-3ffe:1::/64]:Netmask=255.255.255.255 force
+C set [rid-3ffe:2::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [rid-3ffe:2::/64]:Network=3ffe:2:: force
+C set [rid-3ffe:2::/64]:Netmask=255.255.255.255 force
+C add [Phase 2]:Passive-Connections=IPsec-3ffe:1::/64-3ffe:2::/64
+C set [Phase 1]:3ffe::51=peer-3ffe::51 force
+C set [peer-3ffe::51]:Phase=1 force
+C set [peer-3ffe::51]:Address=3ffe::51 force
+C set [peer-3ffe::51]:Configuration=mm-3ffe::51 force
+C set [mm-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-3ffe::51]:Transforms=AES-SHA-GRP15-RSA_SIG force
+C set [IPsec-3ffe::29-3ffe::51]:Phase=2 force
+C set [IPsec-3ffe::29-3ffe::51]:ISAKMP-peer=peer-3ffe::51 force
+C set [IPsec-3ffe::29-3ffe::51]:Configuration=qm-3ffe::29-3ffe::51 force
+C set [IPsec-3ffe::29-3ffe::51]:Local-ID=lid-3ffe::29 force
+C set [IPsec-3ffe::29-3ffe::51]:Remote-ID=rid-3ffe::51 force
+C set [qm-3ffe::29-3ffe::51]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-3ffe::29-3ffe::51]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force
+C set [lid-3ffe::29]:ID-type=IPV6_ADDR force
+C set [lid-3ffe::29]:Address=3ffe::29 force
+C set [rid-3ffe::51]:ID-type=IPV6_ADDR force
+C set [rid-3ffe::51]:Address=3ffe::51 force
+C add [Phase 2]:Passive-Connections=IPsec-3ffe::29-3ffe::51
diff --git a/regress/sbin/ipsecctl/ikefail1.in b/regress/sbin/ipsecctl/ikefail1.in
new file mode 100644
index 00000000000..bf4708d61ae
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail1.in
@@ -0,0 +1 @@
+ike esp from 3ffe::1 to 1.1.1.1
diff --git a/regress/sbin/ipsecctl/ikefail1.ok b/regress/sbin/ipsecctl/ikefail1.ok
new file mode 100644
index 00000000000..250d9f5726c
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail1.ok
@@ -0,0 +1,2 @@
+stdin: 1: rule expands to no valid combination
+ipsecctl: Syntax error in config file: ipsec rules not loaded
diff --git a/regress/sbin/ipsecctl/ikefail2.in b/regress/sbin/ipsecctl/ikefail2.in
new file mode 100644
index 00000000000..204fde1ed38
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail2.in
@@ -0,0 +1,2 @@
+ike from 3ffe::1 to any local 3ffe:3::2 peer 192.168.3.1
+ike from 3ffe::1 to any peer 3ffe:3::1 local 3ffe:3::2
diff --git a/regress/sbin/ipsecctl/ikefail2.ok b/regress/sbin/ipsecctl/ikefail2.ok
new file mode 100644
index 00000000000..07eff6466ef
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail2.ok
@@ -0,0 +1,3 @@
+stdin: 1: src and dst addresses do not match
+stdin: 2: src and dst addresses do not match
+ipsecctl: Syntax error in config file: ipsec rules not loaded
diff --git a/regress/sbin/ipsecctl/ipsec25.in b/regress/sbin/ipsecctl/ipsec25.in
new file mode 100644
index 00000000000..09f71fe327d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec25.in
@@ -0,0 +1 @@
+flow from 3ffe::1 to 3ffe::2
diff --git a/regress/sbin/ipsecctl/ipsec25.ok b/regress/sbin/ipsecctl/ipsec25.ok
new file mode 100644
index 00000000000..5ec14100134
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec25.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe::1 to 3ffe::2 peer 3ffe::2 type require
+flow esp in from 3ffe::2 to 3ffe::1 peer 3ffe::2 type require
diff --git a/regress/sbin/ipsecctl/ipsec26.in b/regress/sbin/ipsecctl/ipsec26.in
new file mode 100644
index 00000000000..0745de15753
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec26.in
@@ -0,0 +1,3 @@
+flow ah from 3ffe:1::1 to 3ffe:3::/24 peer 3ffe:2::1 \
+ srcid host1.one.net \
+ dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec26.ok b/regress/sbin/ipsecctl/ipsec26.ok
new file mode 100644
index 00000000000..a168f06a77a
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec26.ok
@@ -0,0 +1,2 @@
+flow ah out from 3ffe:1::1 to 3ffe:3::/24 peer 3ffe:2::1 srcid host1.one.net dstid host2.two.net type require
+flow ah in from 3ffe:3::/24 to 3ffe:1::1 peer 3ffe:2::1 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec27.in b/regress/sbin/ipsecctl/ipsec27.in
new file mode 100644
index 00000000000..8db230ebb82
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec27.in
@@ -0,0 +1 @@
+flow ah from 3ffe::1 to 3ffe::2 srcid host1.one.net dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec27.ok b/regress/sbin/ipsecctl/ipsec27.ok
new file mode 100644
index 00000000000..4b19ead6de0
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec27.ok
@@ -0,0 +1,2 @@
+flow ah out from 3ffe::1 to 3ffe::2 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
+flow ah in from 3ffe::2 to 3ffe::1 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec28.in b/regress/sbin/ipsecctl/ipsec28.in
new file mode 100644
index 00000000000..18cb2c9310d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec28.in
@@ -0,0 +1 @@
+flow ah from 3ffe::1 to 3ffe::2
diff --git a/regress/sbin/ipsecctl/ipsec28.ok b/regress/sbin/ipsecctl/ipsec28.ok
new file mode 100644
index 00000000000..3d6c5cfc5d9
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec28.ok
@@ -0,0 +1,2 @@
+flow ah out from 3ffe::1 to 3ffe::2 peer 3ffe::2 type require
+flow ah in from 3ffe::2 to 3ffe::1 peer 3ffe::2 type require
diff --git a/regress/sbin/ipsecctl/ipsec29.in b/regress/sbin/ipsecctl/ipsec29.in
new file mode 100644
index 00000000000..e8fd843793a
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec29.in
@@ -0,0 +1,6 @@
+flow esp out from 3ffe:1::/16 to 3ffe:2::/24 peer 3ffe::2 \
+ srcid host1.one.net \
+ dstid host2.two.net
+flow esp in from 3ffe:1::/24 to 3ffe:2::/16 peer 3ffe::2 \
+ srcid host1.one.net \
+ dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec29.ok b/regress/sbin/ipsecctl/ipsec29.ok
new file mode 100644
index 00000000000..d0409c7e521
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec29.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe:1::/16 to 3ffe:2::/24 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
+flow esp in from 3ffe:1::/24 to 3ffe:2::/16 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec30.in b/regress/sbin/ipsecctl/ipsec30.in
new file mode 100644
index 00000000000..a25d79902e6
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec30.in
@@ -0,0 +1,3 @@
+flow esp from 3ffe:1::/16 to 3ffe:3::/24 peer 3ffe::2 \
+ srcid host1.one.net \
+ dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec30.ok b/regress/sbin/ipsecctl/ipsec30.ok
new file mode 100644
index 00000000000..9aeb0fa8a43
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec30.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe:1::/16 to 3ffe:3::/24 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
+flow esp in from 3ffe:3::/24 to 3ffe:1::/16 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec31.in b/regress/sbin/ipsecctl/ipsec31.in
new file mode 100644
index 00000000000..1f2c089394a
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec31.in
@@ -0,0 +1,3 @@
+flow esp from 3ffe:1::1 to 3ffe:3::/64 peer 3ffe:2::1 \
+ srcid host1.one.net \
+ dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec31.ok b/regress/sbin/ipsecctl/ipsec31.ok
new file mode 100644
index 00000000000..6812f6f429e
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec31.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe:1::1 to 3ffe:3::/64 peer 3ffe:2::1 srcid host1.one.net dstid host2.two.net type require
+flow esp in from 3ffe:3::/64 to 3ffe:1::1 peer 3ffe:2::1 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec32.in b/regress/sbin/ipsecctl/ipsec32.in
new file mode 100644
index 00000000000..daf471754c7
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec32.in
@@ -0,0 +1,3 @@
+flow ah from 3ffe:4::/16 to 3ff3:3::/24 peer 3ffe::2 \
+ srcid host1.one.net \
+ dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec32.ok b/regress/sbin/ipsecctl/ipsec32.ok
new file mode 100644
index 00000000000..de29916cf18
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec32.ok
@@ -0,0 +1,2 @@
+flow ah out from 3ffe:4::/16 to 3ff3:3::/24 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
+flow ah in from 3ff3:3::/24 to 3ffe:4::/16 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec33.in b/regress/sbin/ipsecctl/ipsec33.in
new file mode 100644
index 00000000000..3a41dc084de
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec33.in
@@ -0,0 +1,6 @@
+flow ah out from 3ffe:4::/16 to 3ffe:3::/24 peer 3ffe::2 \
+ srcid host1.one.net \
+ dstid host2.two.net
+flow ah in from 3ffe:3::/24 to 3ffe:4::/16 peer 3ffe::2 \
+ srcid host1.one.net \
+ dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec33.ok b/regress/sbin/ipsecctl/ipsec33.ok
new file mode 100644
index 00000000000..eb626f3beb0
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec33.ok
@@ -0,0 +1,2 @@
+flow ah out from 3ffe:4::/16 to 3ffe:3::/24 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
+flow ah in from 3ffe:3::/24 to 3ffe:4::/16 peer 3ffe::2 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec34.in b/regress/sbin/ipsecctl/ipsec34.in
new file mode 100644
index 00000000000..550d73a5251
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec34.in
@@ -0,0 +1,14 @@
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type use
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type use
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type require
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type require
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type acquire
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type acquire
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type dontacq
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type dontacq
+flow esp out from 3ffe::3 to 3ffe::2 type bypass
+flow esp in from 3ffe::2 to 3ffe::3 type bypass
+flow esp out from 3ffe::3 to 3ffe::2 type deny
+flow esp in from 3ffe::2 to 3ffe::3 type deny
diff --git a/regress/sbin/ipsecctl/ipsec34.ok b/regress/sbin/ipsecctl/ipsec34.ok
new file mode 100644
index 00000000000..229f2b04dfa
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec34.ok
@@ -0,0 +1,14 @@
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type require
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type require
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type use
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type use
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type require
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type require
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type acquire
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type acquire
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type dontacq
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type dontacq
+flow esp out from 3ffe::3 to 3ffe::2 type bypass
+flow esp in from 3ffe::2 to 3ffe::3 type bypass
+flow esp out from 3ffe::3 to 3ffe::2 type deny
+flow esp in from 3ffe::2 to 3ffe::3 type deny
diff --git a/regress/sbin/ipsecctl/ipsec35.in b/regress/sbin/ipsecctl/ipsec35.in
new file mode 100644
index 00000000000..e39a067f986
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec35.in
@@ -0,0 +1 @@
+flow ipip out from :: to 3ffe:2::/24 peer 3ffe::1
diff --git a/regress/sbin/ipsecctl/ipsec35.ok b/regress/sbin/ipsecctl/ipsec35.ok
new file mode 100644
index 00000000000..a95fc504494
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec35.ok
@@ -0,0 +1 @@
+flow ipip out from :: to 3ffe:2::/24 peer 3ffe::1 type require
diff --git a/regress/sbin/ipsecctl/ipsec36.in b/regress/sbin/ipsecctl/ipsec36.in
new file mode 100644
index 00000000000..1bdaea71aca
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec36.in
@@ -0,0 +1,2 @@
+flow esp from 3ffe:1::0/24 to 3ffe:2::/24 local 3ffe::1 peer 3ffe:100::1
+flow esp from 3ffe:1::0/24 to 3ffe:2::/24 peer 3ffe:100::1 local 3ffe::1
diff --git a/regress/sbin/ipsecctl/ipsec36.ok b/regress/sbin/ipsecctl/ipsec36.ok
new file mode 100644
index 00000000000..9b02f0d2586
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec36.ok
@@ -0,0 +1,4 @@
+flow esp out from 3ffe:1::/24 to 3ffe:2::/24 local 3ffe::1 peer 3ffe:100::1 type require
+flow esp in from 3ffe:2::/24 to 3ffe:1::/24 local 3ffe::1 peer 3ffe:100::1 type require
+flow esp out from 3ffe:1::/24 to 3ffe:2::/24 local 3ffe::1 peer 3ffe:100::1 type require
+flow esp in from 3ffe:2::/24 to 3ffe:1::/24 local 3ffe::1 peer 3ffe:100::1 type require
diff --git a/regress/sbin/ipsecctl/ipsec37.in b/regress/sbin/ipsecctl/ipsec37.in
new file mode 100644
index 00000000000..1eefa3cea2c
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec37.in
@@ -0,0 +1,5 @@
+a="3ffe:1::/24"
+b="3ffe:2::/24"
+l="3ffe::1"
+p="3ffe:100::1"
+flow esp from $a to $b local $l peer $p
diff --git a/regress/sbin/ipsecctl/ipsec37.ok b/regress/sbin/ipsecctl/ipsec37.ok
new file mode 100644
index 00000000000..9c0d83559ae
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec37.ok
@@ -0,0 +1,6 @@
+a = "3ffe:1::/24"
+b = "3ffe:2::/24"
+l = "3ffe::1"
+p = "3ffe:100::1"
+flow esp out from 3ffe:1::/24 to 3ffe:2::/24 local 3ffe::1 peer 3ffe:100::1 type require
+flow esp in from 3ffe:2::/24 to 3ffe:1::/24 local 3ffe::1 peer 3ffe:100::1 type require
diff --git a/regress/sbin/ipsecctl/ipsec38.in b/regress/sbin/ipsecctl/ipsec38.in
new file mode 100644
index 00000000000..7cc417a03ac
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec38.in
@@ -0,0 +1 @@
+flow in from 3ffe:3::/24 to 3ffe:3::/24 type bypass
diff --git a/regress/sbin/ipsecctl/ipsec38.ok b/regress/sbin/ipsecctl/ipsec38.ok
new file mode 100644
index 00000000000..f7edb8de6d3
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec38.ok
@@ -0,0 +1 @@
+flow esp in from 3ffe:3::/24 to 3ffe:3::/24 type bypass
diff --git a/regress/sbin/ipsecctl/ipsec39.in b/regress/sbin/ipsecctl/ipsec39.in
new file mode 100644
index 00000000000..fbe81ee3247
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec39.in
@@ -0,0 +1 @@
+flow in from any to 3ffe:3::/24 type deny
diff --git a/regress/sbin/ipsecctl/ipsec39.ok b/regress/sbin/ipsecctl/ipsec39.ok
new file mode 100644
index 00000000000..331f92c49ed
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec39.ok
@@ -0,0 +1 @@
+flow esp in from 0.0.0.0/0 to 3ffe:3::/24 type deny
diff --git a/regress/sbin/ipsecctl/ipsec40.in b/regress/sbin/ipsecctl/ipsec40.in
new file mode 100644
index 00000000000..d622820e13e
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec40.in
@@ -0,0 +1,2 @@
+flow esp proto etherip from 3ffe:1::1 to 3ffe:1::2
+flow esp proto 97 from 3ffe:2::1 to 3ffe:3::1
diff --git a/regress/sbin/ipsecctl/ipsec40.ok b/regress/sbin/ipsecctl/ipsec40.ok
new file mode 100644
index 00000000000..253aa3914d9
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec40.ok
@@ -0,0 +1,4 @@
+flow esp out proto etherip from 3ffe:1::1 to 3ffe:1::2 peer 3ffe:1::2 type require
+flow esp in proto etherip from 3ffe:1::2 to 3ffe:1::1 peer 3ffe:1::2 type require
+flow esp out proto etherip from 3ffe:2::1 to 3ffe:3::1 peer 3ffe:3::1 type require
+flow esp in proto etherip from 3ffe:3::1 to 3ffe:2::1 peer 3ffe:3::1 type require
diff --git a/regress/sbin/ipsecctl/ipsec41.in b/regress/sbin/ipsecctl/ipsec41.in
new file mode 100644
index 00000000000..f8b21d7c947
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec41.in
@@ -0,0 +1,7 @@
+flow esp from 3ffe::3 to 3ffe::2 peer 3ffe::3
+flow esp from 3ffe::3 to 3ffe::2 peer 3ffe::3 type use
+flow esp from 3ffe::3 to 3ffe::2 peer 3ffe::3 type require
+flow esp from 3ffe::3 to 3ffe::2 peer 3ffe::3 type acquire
+flow esp from 3ffe::3 to 3ffe::2 peer 3ffe::3 type dontacq
+flow esp from 3ffe::3 to 3ffe::2 type bypass
+flow esp from 3ffe::3 to 3ffe::2 type deny
diff --git a/regress/sbin/ipsecctl/ipsec41.ok b/regress/sbin/ipsecctl/ipsec41.ok
new file mode 100644
index 00000000000..229f2b04dfa
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec41.ok
@@ -0,0 +1,14 @@
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type require
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type require
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type use
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type use
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type require
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type require
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type acquire
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type acquire
+flow esp out from 3ffe::3 to 3ffe::2 peer 3ffe::3 type dontacq
+flow esp in from 3ffe::2 to 3ffe::3 peer 3ffe::3 type dontacq
+flow esp out from 3ffe::3 to 3ffe::2 type bypass
+flow esp in from 3ffe::2 to 3ffe::3 type bypass
+flow esp out from 3ffe::3 to 3ffe::2 type deny
+flow esp in from 3ffe::2 to 3ffe::3 type deny
diff --git a/regress/sbin/ipsecctl/ipsec42.in b/regress/sbin/ipsecctl/ipsec42.in
new file mode 100644
index 00000000000..5dd087d373d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec42.in
@@ -0,0 +1 @@
+flow esp from 3ffe:1::1 to 3ffe:2::1
diff --git a/regress/sbin/ipsecctl/ipsec42.ok b/regress/sbin/ipsecctl/ipsec42.ok
new file mode 100644
index 00000000000..23b5f1bbbaa
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec42.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe:1::1 to 3ffe:2::1 peer 3ffe:2::1 type require
+flow esp in from 3ffe:2::1 to 3ffe:1::1 peer 3ffe:2::1 type require
diff --git a/regress/sbin/ipsecctl/ipsec43.in b/regress/sbin/ipsecctl/ipsec43.in
new file mode 100644
index 00000000000..5fd71bd8af4
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec43.in
@@ -0,0 +1 @@
+flow esp from 3ffe:1::1 to 3ffe:2::2 srcid host1.one.net dstid host2.two.net
diff --git a/regress/sbin/ipsecctl/ipsec43.ok b/regress/sbin/ipsecctl/ipsec43.ok
new file mode 100644
index 00000000000..d3a7f77aa3c
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec43.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe:1::1 to 3ffe:2::2 peer 3ffe:2::2 srcid host1.one.net dstid host2.two.net type require
+flow esp in from 3ffe:2::2 to 3ffe:1::1 peer 3ffe:2::2 srcid host1.one.net dstid host2.two.net type require
diff --git a/regress/sbin/ipsecctl/ipsec44.in b/regress/sbin/ipsecctl/ipsec44.in
new file mode 100644
index 00000000000..9c16b19481a
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec44.in
@@ -0,0 +1 @@
+flow esp from 3ffe:1::1 to 3ffe:3::/64 peer 3ffe:2::1
diff --git a/regress/sbin/ipsecctl/ipsec44.ok b/regress/sbin/ipsecctl/ipsec44.ok
new file mode 100644
index 00000000000..94c64d5b81e
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec44.ok
@@ -0,0 +1,2 @@
+flow esp out from 3ffe:1::1 to 3ffe:3::/64 peer 3ffe:2::1 type require
+flow esp in from 3ffe:3::/64 to 3ffe:1::1 peer 3ffe:2::1 type require
diff --git a/regress/sbin/ipsecctl/ipsec50.in b/regress/sbin/ipsecctl/ipsec50.in
new file mode 100644
index 00000000000..abf4df1b51d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec50.in
@@ -0,0 +1 @@
+flow ah from 3ffe::1 to 3ffe:3::/24 peer 3ffe::2
diff --git a/regress/sbin/ipsecctl/ipsec50.ok b/regress/sbin/ipsecctl/ipsec50.ok
new file mode 100644
index 00000000000..f3d7fc71331
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec50.ok
@@ -0,0 +1,2 @@
+flow ah out from 3ffe::1 to 3ffe:3::/24 peer 3ffe::2 type require
+flow ah in from 3ffe:3::/24 to 3ffe::1 peer 3ffe::2 type require
diff --git a/regress/sbin/ipsecctl/ipsecfail1.in b/regress/sbin/ipsecctl/ipsecfail1.in
new file mode 100644
index 00000000000..d66603ff651
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsecfail1.in
@@ -0,0 +1 @@
+flow esp from 3ffe:2::1 to any peer 3ffe::2
diff --git a/regress/sbin/ipsecctl/ipsecfail1.ok b/regress/sbin/ipsecctl/ipsecfail1.ok
new file mode 100644
index 00000000000..250d9f5726c
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsecfail1.ok
@@ -0,0 +1,2 @@
+stdin: 1: rule expands to no valid combination
+ipsecctl: Syntax error in config file: ipsec rules not loaded
diff --git a/regress/sbin/ipsecctl/ipsecfail2.in b/regress/sbin/ipsecctl/ipsecfail2.in
new file mode 100644
index 00000000000..df5904574b9
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsecfail2.in
@@ -0,0 +1 @@
+flow from 3ffe::1 to 1.1.1.1
diff --git a/regress/sbin/ipsecctl/ipsecfail2.ok b/regress/sbin/ipsecctl/ipsecfail2.ok
new file mode 100644
index 00000000000..250d9f5726c
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsecfail2.ok
@@ -0,0 +1,2 @@
+stdin: 1: rule expands to no valid combination
+ipsecctl: Syntax error in config file: ipsec rules not loaded