--- /dev/null
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two IPv6 ICMP requests from <b>carol</b> to <b>alice</b>
+check the established tunnel with compression. The packet sizes are different
+because the kernel does not compress small packets.<br/>
+<b>Note:</b> The kernel applies IPComp after fragmenting the original packet
+according to the MTU. Also, because <b>alice</b> does not know about the IPsec
+tunnel between <b>moon</b> and <b>carol</b> the response to the first ICMP
+request is fragmented in too large fragments and <b>moon</b> sends back ICMPs
+with type 2 to notify <b>alice</b> about this (Path MTU Discovery).
+The second ping is then answered successfully.
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+# send two pings because the first is lost due to Path MTU Discovery between alice and moon
+carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES
+moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ compress=yes
+ leftfirewall=yes
+
+conn home
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP6_MOON
+ rightsubnet=fec1::/16
+ rightid=@moon.strongswan.org
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+ cacert=strongswanCert.pem
+ crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+ auto=add
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ compress=yes
+ leftfirewall=yes
+
+conn rw
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=fec1::/16
+ right=%any
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec0:\:/16 via fec1:\:1"
+carol::"ip route del fec1:\:/16 via fec0:\:1"
--- /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+# enable Path MTU Discovery
+moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT
+alice::"ip route add fec0:\:/16 via fec1:\:1"
+carol::"ip route add fec1:\:/16 via fec0:\:1"
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+carol::ipsec up home
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+