ipsec conftest Tool


ipsec conftest --help         show usage information

ipsec conftest --version      show conftest version

ipsec conftest --suite <file> global testsuite configuration (default: ./suite.conf)

ipsec conftest --test <file>  test specific configuration


The ipsec conftest utility allows you to run preconfigured tests on IKE, based on the mainstream strongSwan stack. It can inject or mangle packets to test the behavior of other implementations under certain conditions.

The auxiliary ipsec command, if available, sets the execution path to ${libexecdir}/ipsec/ which is usually /usr/libexec/ipsec/ or /usr/local/libexec/ipsec/. The ${libexecdir} directory can be configured with the --libexecdir ./configure option defaulting to ${prefix}/libexec).

To enable the ipsec conftest utility, add


to the ./configure options.


A test suite consists of a suite configuration file (--suite parameter) and individual test configurations (selected by the --test parameter) which use the same structure as strongswan.conf. To configure plugins, a conftest section in strongswan.conf can be used.

The README file in the conftest source has details on the possible configuration sections and options.

Specifying Host IDs

When using certificate DN as leftid|rightid in ipsec.conf, the DN is enclosed in quotation marks, like in the following example:

conn sample-with-ca-cert
  rightid="C=CH, O=Linux strongSwan, CN=peer name"

However the equivalent options lid|rid in a conftest suite or test configuration must be written without quotation marks, otherwise there will be authentication errors.

configs {
  ike-sample-a {
    rid = C=CH, O=Linux strongSwan, CN=peer name