ipsec conftest


ipsec conftest --help         show usage information
ipsec conftest --version      show conftest version
ipsec conftest --suite <file> global testsuite configuration (default: ./suite.conf)
ipsec conftest --test <file>  test specific configuration


The ipsec conftest command allows you to run preconfigured tests on IKE, based on the mainstream strongSwan stack. It can inject or mangle packets to test the behavior of other implementations under certain conditions.

To enable the command, add

to the ./configure options.


A test suite consists of a suite configuration file (--suite parameter) and individual test configurations (selected by the --test parameter), which use the same structure as strongswan.conf. To configure plugins, a conftest section in strongswan.conf can be used.

The README file in the conftest source has details on the possible configuration sections and options.

Specifying Host IDs

When using certificate DN as left|rightid in ipsec.conf, the DN is enclosed in quotation marks, like in the following example:

conn sample-with-ca-cert
    rightid="C=CH, O=Linux strongSwan CN=peer name"

However, the equivalent options l|rid in a conftest suite or test configuration must be written without quotation marks, otherwise there will be authentication errors.

configs {
    ike-sample-a {
        rid = C=CH, O=Linux strongSwan CN=peer name