Add tests with the ipsec.conf SA bundle keyword.

Add tests for SA grouped in bundles.

Allow to override location of ipsecctl tool with IPSECCTL environment.
Useful for development testing without make install.

AES-CTR, AES-GCM, AES-GMAC are disallowed with manual SAs

Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.

Add regress tests with IPv4 and IPv6 addresses for the srcid and/or dstid.

ok hshoexer@

If the "peer" address is not specified or derived from "to" for
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.

Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.

ok hshoexer@, todd@

Remove ikefail10 ipsecctl regression test as it always fails. It
was expecting a certain parser error message. Accepting the ikefail10
config file is not considered to be a bug anymore.

ok hshoexer@

Allow to specify ike and flow explicitly without peer. The any
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.

tested by grunk@, todd@, ok grunk@, hshoexer@, todd@

Regression tests for source flow NAT support.
OK hshoexer@, markus@.

add regression test for aes-{128,192,256} being used with main and quick
mode.

If multiple to addresses but no peer are given in an ike or flow
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer

Add a regression test for handling addresses with trailing '/32' and address
type IPV4_ADDR.

Do not crash when lists include the "any" keyword. Reported by
<ralf.horstmann at gmx.net>, thanks!

Slightly different fix. Also add a regression test.

ok mpf@

move autodetection of the ID type to the parser. this way the
static flows have the correct ID, too. ok hshoexer, reyk

we have to use '-k' now to show keys.

allow rule if there is at least _one_ matching address family combination.
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@

don't pass -1 as a netmask; report vicviq at gmail.com

add comment on how to update the *.ok files; ok hshoexer@

Add some regression tests for odd ipsecctl behaviour noticed by
Prabhu Gurumurt. Test ikefail10 should fail, but does not and needs
to be fixed.

Test for an as yet unresolved problem:
If list expansion produces peer pairings between different address
families, this should be an error.

Suggested by and ok hshoexer@

Add support for IKE AH rules to ipsecctl. Man page input by jmc@.
ok hshoexer@

tests similar to ike49 and ike50, but with ipv6 addresses.

yet another test.

new tests for default peer usage

update and enable that test

The ike/ikedel tests 48 to 50 do net exist yet. They will be needed
for stuff that will soon be commited. In the meanwhile disable
them. Noticed by david@, thanks!

adopt to recent changes

Add a bunch of test for deletion of ike rules, add a test for "to
any" rules without a peer specified. These tests resulted in the
recent fix in ipsecctl/ike.c.

add safail2

really, this is the correct *.ok output, what was generated in the past was
due to recently fixed code
move some ike?? to ikefail?

Add a transport mode specifier to ike rules. Tunnel mode remains the default.
"looks right" hshoexer@

Add tests for a tiny regression I've just found

check port modifiers in ike rules

enable all ike tests, even though some of them are currently broken.

new test for setting lifetimes

check port modifiers in flow rules; ok hshoexer@

fix this test, too.

fix this tests. Enable a bunch of new sa tests

add some regress for v6; ok hshoexer@

tests for rule expansion and ike

tests for rule expansion

adopt to recent changes and add some more tests

regression tests for "local"

connect tests for transport mode

forgot those in previous commit...

allow specification of encapsulated protocol for ike; ok hshoexer

allow specification of encapsulated protocol for flows; ok hshoexer

add regress tests for dynamic, bypass, deny and the macros.

inspired my markus last commit, ok hshoexer@

allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk

First simple regression tests for invalid rules

ipip support: ip-in-ip w/o gif(4); ok hshoexer

test for swapped rules

add a regression test for ipcomp

Regression tests for "any" keyword.

enable tests for isakmp/ike

Make sure, tests using "file" work when obj/ directory is present.

Make tests more readable by using predefined keyfiles. Add test for tcpmd5
using a key from a file.

test for SAs

no test "ipsec13" yet

some simple regression tests for static keying

Some basic regression tests for ipsecctl, not connected yet.