summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/sbin/ipsecctl/Makefile6
-rw-r--r--regress/sbin/ipsecctl/ike61.in4
-rw-r--r--regress/sbin/ipsecctl/ike61.ok230
-rw-r--r--regress/sbin/ipsecctl/ikefail13.in2
-rw-r--r--regress/sbin/ipsecctl/ikefail13.ok2
5 files changed, 241 insertions, 3 deletions
diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile
index 0153dc7698e..4fce7c55f97 100644
--- a/regress/sbin/ipsecctl/Makefile
+++ b/regress/sbin/ipsecctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.52 2008/12/22 14:08:45 hshoexer Exp $
+# $OpenBSD: Makefile,v 1.53 2009/01/20 14:40:36 mpf Exp $
# you can update the *.ok files with: make -i | patch
# TARGETS
@@ -15,11 +15,11 @@ TCPMD5TESTS=1 2 3
SATESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
SAFAIL=1 2
IPSECFAIL=1 2 3
-IKEFAIL=1 3 4 5 6 8 9 10 11 12
+IKEFAIL=1 3 4 5 6 8 9 10 11 12 13
IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IKETESTS+=16 17 18 19 20 21 22 23
IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40
-IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
+IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
IKEDELTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IKEDELTESTS+=16 17 18 19 20 21 22 23
diff --git a/regress/sbin/ipsecctl/ike61.in b/regress/sbin/ipsecctl/ike61.in
new file mode 100644
index 00000000000..ebfe9b4bce8
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike61.in
@@ -0,0 +1,4 @@
+FROM="{ 2.2.2.0/24 (5.5.5.0/24), 3.3.3.0/24, 4.4.4.0/24 (6.6.6.0/24) }"
+TO="{ 5.5.5.0/24, 6.6.6.0/24, 7.7.7.0/24 }"
+ike from $FROM to $TO peer 1.1.1.1
+ike passive from 3ffe:1::/64 (affe:1::/64) to 3ffe:2::/64 peer 3ffe::51
diff --git a/regress/sbin/ipsecctl/ike61.ok b/regress/sbin/ipsecctl/ike61.ok
new file mode 100644
index 00000000000..0960408fb5d
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike61.ok
@@ -0,0 +1,230 @@
+FROM = "{ 2.2.2.0/24 (5.5.5.0/24), 3.3.3.0/24, 4.4.4.0/24 (6.6.6.0/24) }"
+TO = "{ 5.5.5.0/24, 6.6.6.0/24, 7.7.7.0/24 }"
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-2.2.2.0/24-to-5.5.5.0/24]:Phase=2 force
+C set [from-2.2.2.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-2.2.2.0/24-to-5.5.5.0/24]:Configuration=phase2-from-2.2.2.0/24-to-5.5.5.0/24 force
+C set [from-2.2.2.0/24-to-5.5.5.0/24]:Local-ID=from-2.2.2.0/24 force
+C set [from-2.2.2.0/24-to-5.5.5.0/24]:NAT-ID=nat-5.5.5.0/24 force
+C set [from-2.2.2.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
+C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-2.2.2.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-2.2.2.0/24]:Network=2.2.2.0 force
+C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
+C set [nat-5.5.5.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [nat-5.5.5.0/24]:Network=5.5.5.0 force
+C set [nat-5.5.5.0/24]:Netmask=255.255.255.0 force
+C set [to-5.5.5.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-5.5.5.0/24]:Network=5.5.5.0 force
+C set [to-5.5.5.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-2.2.2.0/24-to-5.5.5.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-2.2.2.0/24-to-6.6.6.0/24]:Phase=2 force
+C set [from-2.2.2.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-2.2.2.0/24-to-6.6.6.0/24]:Configuration=phase2-from-2.2.2.0/24-to-6.6.6.0/24 force
+C set [from-2.2.2.0/24-to-6.6.6.0/24]:Local-ID=from-2.2.2.0/24 force
+C set [from-2.2.2.0/24-to-6.6.6.0/24]:NAT-ID=nat-5.5.5.0/24 force
+C set [from-2.2.2.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
+C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-2.2.2.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-2.2.2.0/24]:Network=2.2.2.0 force
+C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
+C set [nat-5.5.5.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [nat-5.5.5.0/24]:Network=5.5.5.0 force
+C set [nat-5.5.5.0/24]:Netmask=255.255.255.0 force
+C set [to-6.6.6.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-6.6.6.0/24]:Network=6.6.6.0 force
+C set [to-6.6.6.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-2.2.2.0/24-to-6.6.6.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-2.2.2.0/24-to-7.7.7.0/24]:Phase=2 force
+C set [from-2.2.2.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-2.2.2.0/24-to-7.7.7.0/24]:Configuration=phase2-from-2.2.2.0/24-to-7.7.7.0/24 force
+C set [from-2.2.2.0/24-to-7.7.7.0/24]:Local-ID=from-2.2.2.0/24 force
+C set [from-2.2.2.0/24-to-7.7.7.0/24]:NAT-ID=nat-5.5.5.0/24 force
+C set [from-2.2.2.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
+C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-2.2.2.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-2.2.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-2.2.2.0/24]:Network=2.2.2.0 force
+C set [from-2.2.2.0/24]:Netmask=255.255.255.0 force
+C set [nat-5.5.5.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [nat-5.5.5.0/24]:Network=5.5.5.0 force
+C set [nat-5.5.5.0/24]:Netmask=255.255.255.0 force
+C set [to-7.7.7.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-7.7.7.0/24]:Network=7.7.7.0 force
+C set [to-7.7.7.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-2.2.2.0/24-to-7.7.7.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-3.3.3.0/24-to-5.5.5.0/24]:Phase=2 force
+C set [from-3.3.3.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-3.3.3.0/24-to-5.5.5.0/24]:Configuration=phase2-from-3.3.3.0/24-to-5.5.5.0/24 force
+C set [from-3.3.3.0/24-to-5.5.5.0/24]:Local-ID=from-3.3.3.0/24 force
+C set [from-3.3.3.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
+C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-3.3.3.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-3.3.3.0/24]:Network=3.3.3.0 force
+C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
+C set [to-5.5.5.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-5.5.5.0/24]:Network=5.5.5.0 force
+C set [to-5.5.5.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-3.3.3.0/24-to-5.5.5.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-3.3.3.0/24-to-6.6.6.0/24]:Phase=2 force
+C set [from-3.3.3.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-3.3.3.0/24-to-6.6.6.0/24]:Configuration=phase2-from-3.3.3.0/24-to-6.6.6.0/24 force
+C set [from-3.3.3.0/24-to-6.6.6.0/24]:Local-ID=from-3.3.3.0/24 force
+C set [from-3.3.3.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
+C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-3.3.3.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-3.3.3.0/24]:Network=3.3.3.0 force
+C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
+C set [to-6.6.6.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-6.6.6.0/24]:Network=6.6.6.0 force
+C set [to-6.6.6.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-3.3.3.0/24-to-6.6.6.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-3.3.3.0/24-to-7.7.7.0/24]:Phase=2 force
+C set [from-3.3.3.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-3.3.3.0/24-to-7.7.7.0/24]:Configuration=phase2-from-3.3.3.0/24-to-7.7.7.0/24 force
+C set [from-3.3.3.0/24-to-7.7.7.0/24]:Local-ID=from-3.3.3.0/24 force
+C set [from-3.3.3.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
+C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-3.3.3.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-3.3.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-3.3.3.0/24]:Network=3.3.3.0 force
+C set [from-3.3.3.0/24]:Netmask=255.255.255.0 force
+C set [to-7.7.7.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-7.7.7.0/24]:Network=7.7.7.0 force
+C set [to-7.7.7.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-3.3.3.0/24-to-7.7.7.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-4.4.4.0/24-to-5.5.5.0/24]:Phase=2 force
+C set [from-4.4.4.0/24-to-5.5.5.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-4.4.4.0/24-to-5.5.5.0/24]:Configuration=phase2-from-4.4.4.0/24-to-5.5.5.0/24 force
+C set [from-4.4.4.0/24-to-5.5.5.0/24]:Local-ID=from-4.4.4.0/24 force
+C set [from-4.4.4.0/24-to-5.5.5.0/24]:NAT-ID=nat-6.6.6.0/24 force
+C set [from-4.4.4.0/24-to-5.5.5.0/24]:Remote-ID=to-5.5.5.0/24 force
+C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-4.4.4.0/24-to-5.5.5.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-4.4.4.0/24]:Network=4.4.4.0 force
+C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
+C set [nat-6.6.6.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [nat-6.6.6.0/24]:Network=6.6.6.0 force
+C set [nat-6.6.6.0/24]:Netmask=255.255.255.0 force
+C set [to-5.5.5.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-5.5.5.0/24]:Network=5.5.5.0 force
+C set [to-5.5.5.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-4.4.4.0/24-to-5.5.5.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-4.4.4.0/24-to-6.6.6.0/24]:Phase=2 force
+C set [from-4.4.4.0/24-to-6.6.6.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-4.4.4.0/24-to-6.6.6.0/24]:Configuration=phase2-from-4.4.4.0/24-to-6.6.6.0/24 force
+C set [from-4.4.4.0/24-to-6.6.6.0/24]:Local-ID=from-4.4.4.0/24 force
+C set [from-4.4.4.0/24-to-6.6.6.0/24]:NAT-ID=nat-6.6.6.0/24 force
+C set [from-4.4.4.0/24-to-6.6.6.0/24]:Remote-ID=to-6.6.6.0/24 force
+C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-4.4.4.0/24-to-6.6.6.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-4.4.4.0/24]:Network=4.4.4.0 force
+C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
+C set [nat-6.6.6.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [nat-6.6.6.0/24]:Network=6.6.6.0 force
+C set [nat-6.6.6.0/24]:Netmask=255.255.255.0 force
+C set [to-6.6.6.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-6.6.6.0/24]:Network=6.6.6.0 force
+C set [to-6.6.6.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-4.4.4.0/24-to-6.6.6.0/24
+C set [Phase 1]:1.1.1.1=peer-1.1.1.1 force
+C set [peer-1.1.1.1]:Phase=1 force
+C set [peer-1.1.1.1]:Address=1.1.1.1 force
+C set [peer-1.1.1.1]:Configuration=phase1-peer-1.1.1.1 force
+C set [phase1-peer-1.1.1.1]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-1.1.1.1]:Transforms=AES-SHA-RSA_SIG force
+C set [from-4.4.4.0/24-to-7.7.7.0/24]:Phase=2 force
+C set [from-4.4.4.0/24-to-7.7.7.0/24]:ISAKMP-peer=peer-1.1.1.1 force
+C set [from-4.4.4.0/24-to-7.7.7.0/24]:Configuration=phase2-from-4.4.4.0/24-to-7.7.7.0/24 force
+C set [from-4.4.4.0/24-to-7.7.7.0/24]:Local-ID=from-4.4.4.0/24 force
+C set [from-4.4.4.0/24-to-7.7.7.0/24]:NAT-ID=nat-6.6.6.0/24 force
+C set [from-4.4.4.0/24-to-7.7.7.0/24]:Remote-ID=to-7.7.7.0/24 force
+C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-4.4.4.0/24-to-7.7.7.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-4.4.4.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [from-4.4.4.0/24]:Network=4.4.4.0 force
+C set [from-4.4.4.0/24]:Netmask=255.255.255.0 force
+C set [nat-6.6.6.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [nat-6.6.6.0/24]:Network=6.6.6.0 force
+C set [nat-6.6.6.0/24]:Netmask=255.255.255.0 force
+C set [to-7.7.7.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [to-7.7.7.0/24]:Network=7.7.7.0 force
+C set [to-7.7.7.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=from-4.4.4.0/24-to-7.7.7.0/24
+C set [Phase 1]:3ffe::51=peer-3ffe::51 force
+C set [peer-3ffe::51]:Phase=1 force
+C set [peer-3ffe::51]:Address=3ffe::51 force
+C set [peer-3ffe::51]:Configuration=phase1-peer-3ffe::51 force
+C set [phase1-peer-3ffe::51]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-3ffe::51]:Transforms=AES-SHA-RSA_SIG force
+C set [from-3ffe:1::/64-to-3ffe:2::/64]:Phase=2 force
+C set [from-3ffe:1::/64-to-3ffe:2::/64]:ISAKMP-peer=peer-3ffe::51 force
+C set [from-3ffe:1::/64-to-3ffe:2::/64]:Configuration=phase2-from-3ffe:1::/64-to-3ffe:2::/64 force
+C set [from-3ffe:1::/64-to-3ffe:2::/64]:Local-ID=from-3ffe:1::/64 force
+C set [from-3ffe:1::/64-to-3ffe:2::/64]:NAT-ID=nat-affe:1::/64 force
+C set [from-3ffe:1::/64-to-3ffe:2::/64]:Remote-ID=to-3ffe:2::/64 force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-3ffe:1::/64-to-3ffe:2::/64]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-3ffe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [from-3ffe:1::/64]:Network=3ffe:1:: force
+C set [from-3ffe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
+C set [nat-affe:1::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [nat-affe:1::/64]:Network=affe:1:: force
+C set [nat-affe:1::/64]:Netmask=ffff:ffff:ffff:ffff:: force
+C set [to-3ffe:2::/64]:ID-type=IPV6_ADDR_SUBNET force
+C set [to-3ffe:2::/64]:Network=3ffe:2:: force
+C set [to-3ffe:2::/64]:Netmask=ffff:ffff:ffff:ffff:: force
+C add [Phase 2]:Passive-Connections=from-3ffe:1::/64-to-3ffe:2::/64
diff --git a/regress/sbin/ipsecctl/ikefail13.in b/regress/sbin/ipsecctl/ikefail13.in
new file mode 100644
index 00000000000..c6b2385ca4f
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail13.in
@@ -0,0 +1,2 @@
+# invalid NAT flow combinations
+ike from 192.168.1.0/24 (1::2/24) to 172.16.0.0/12 peer 5.5.5.5
diff --git a/regress/sbin/ipsecctl/ikefail13.ok b/regress/sbin/ipsecctl/ikefail13.ok
new file mode 100644
index 00000000000..8a9aeec7194
--- /dev/null
+++ b/regress/sbin/ipsecctl/ikefail13.ok
@@ -0,0 +1,2 @@
+stdin: 2: Flow NAT address family mismatch
+ipsecctl: Syntax error in config file: ipsec rules not loaded
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 09:31:25 +0000