Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 3871bd3)
ipsec: Fix setting the hi-sequence number for decrypt 38/32938/3
authorNeale Ranns <neale@graphiant.com>
Mon, 28 Jun 2021 13:31:28 +0000 (13:31 +0000)
committerBeno�t Ganne <bganne@cisco.com>
Tue, 29 Jun 2021 17:12:28 +0000 (17:12 +0000)
Type: fix

two problems;
 1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
   - fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
 2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
{
  ...
  if (post_decrypt)
    {
      if (hi_seq_used == sa->seq_hi)
/* the high sequence number used to succesfully decrypt this
 * packet is the same as the last-sequnence number of the SA.
 * that means this packet did not cause a wrap.
 * this packet is thus out of window and should be dropped */
return 1;
      else
/* The packet decrypted with a different high sequence number
 * to the SA, that means it is the wrap packet and should be
 * accepted */
return 0;
    }
  - fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.

other consequences:
 - An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
 - there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
 - test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5

src/vnet/ipsec/ah_decrypt.c patch | blob | history
src/vnet/ipsec/esp.h patch | blob | history
src/vnet/ipsec/esp_decrypt.c patch | blob | history
src/vnet/ipsec/esp_encrypt.c patch | blob | history
src/vnet/ipsec/ipsec_api.c patch | blob | history
src/vnet/ipsec/ipsec_format.c patch | blob | history
src/vnet/ipsec/ipsec_sa.h patch | blob | history
test/template_ipsec.py patch | blob | history
test/test_ipsec_esp.py patch | blob | history

diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index d192fb6..182ed3d 100644 (file)
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -98,6 +98,7 @@ typedef struct
   };
   u32 sa_index;
   u32 seq;
+  u32 seq_hi;
   u8 icv_padding_len;
   u8 icv_size;
   u8 ip_hdr_size;
@@ -221,7 +222,8 @@ ah_decrypt_inline (vlib_main_t * vm,
       pd->seq = clib_host_to_net_u32 (ah0->seq_no);
 
       /* anti-replay check */
-      if (ipsec_sa_anti_replay_check (sa0, pd->seq))
+      if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false,
+                                              &pd->seq_hi))
        {
          b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
          next[0] = AH_DECRYPT_NEXT_DROP;
@@ -257,7 +259,7 @@ ah_decrypt_inline (vlib_main_t * vm,
          op->user_data = b - bufs;
          if (ipsec_sa_is_set_USE_ESN (sa0))
            {
-             u32 seq_hi = clib_host_to_net_u32 (sa0->seq_hi);
+             u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi);
 
              op->len += sizeof (seq_hi);
              clib_memcpy (op->src + b[0]->current_length, &seq_hi,
@@ -322,13 +324,14 @@ ah_decrypt_inline (vlib_main_t * vm,
       if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
        {
          /* redo the anit-reply check. see esp_decrypt for details */
-         if (ipsec_sa_anti_replay_check (sa0, pd->seq))
+         if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi,
+                                                  true, NULL))
            {
              b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
              next[0] = AH_DECRYPT_NEXT_DROP;
              goto trace;
            }
-         ipsec_sa_anti_replay_advance (sa0, pd->seq);
+         ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi);
        }
 
       u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index a0643c3..d179233 100644 (file)
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -118,7 +118,8 @@ esp_seq_advance (ipsec_sa_t * sa)
 }
 
 always_inline u16
-esp_aad_fill (u8 * data, const esp_header_t * esp, const ipsec_sa_t * sa)
+esp_aad_fill (u8 *data, const esp_header_t *esp, const ipsec_sa_t *sa,
+             u32 seq_hi)
 {
   esp_aead_t *aad;
 
@@ -128,7 +129,7 @@ esp_aad_fill (u8 * data, const esp_header_t * esp, const ipsec_sa_t * sa)
   if (ipsec_sa_is_set_USE_ESN (sa))
     {
       /* SPI, seq-hi, seq-low */
-      aad->data[1] = (u32) clib_host_to_net_u32 (sa->seq_hi);
+      aad->data[1] = (u32) clib_host_to_net_u32 (seq_hi);
       aad->data[2] = esp->seq;
       return 12;
     }
@@ -199,7 +200,7 @@ typedef struct
   i16 current_length;
   u16 hdr_sz;
   u16 is_chain;
-  u32 protect_index;
+  u32 seq_hi;
 } esp_decrypt_packet_data_t;
 
 STATIC_ASSERT_SIZEOF (esp_decrypt_packet_data_t, 3 * sizeof (u64));
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index ec6d981..b700f2c 100644 (file)
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -92,10 +92,14 @@ typedef struct
   u32 seq;
   u32 sa_seq;
   u32 sa_seq_hi;
+  u32 pkt_seq_hi;
   ipsec_crypto_alg_t crypto_alg;
   ipsec_integ_alg_t integ_alg;
 } esp_decrypt_trace_t;
 
+/* The number of byres in the hisequence number */
+#define N_HI_ESN_BYTES 4
+
 /* packet trace format function */
 static u8 *
 format_esp_decrypt_trace (u8 * s, va_list * args)
@@ -104,11 +108,11 @@ format_esp_decrypt_trace (u8 * s, va_list * args)
   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
   esp_decrypt_trace_t *t = va_arg (*args, esp_decrypt_trace_t *);
 
-  s =
-    format (s,
-           "esp: crypto %U integrity %U pkt-seq %d sa-seq %u sa-seq-hi %u",
-           format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg,
-           t->integ_alg, t->seq, t->sa_seq, t->sa_seq_hi);
+  s = format (s,
+             "esp: crypto %U integrity %U pkt-seq %d sa-seq %u sa-seq-hi %u "
+             "pkt-seq-hi %u",
+             format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg,
+             t->integ_alg, t->seq, t->sa_seq, t->sa_seq_hi, t->pkt_seq_hi);
   return s;
 }
 
@@ -235,40 +239,41 @@ esp_move_icv (vlib_main_t * vm, vlib_buffer_t * first,
   return lb_curr;
 }
 
-static_always_inline i16
-esp_insert_esn (vlib_main_t * vm, ipsec_sa_t * sa,
-               esp_decrypt_packet_data2_t * pd2, u32 * data_len,
-               u8 ** digest, u16 * len, vlib_buffer_t * b, u8 * payload)
+static_always_inline u16
+esp_insert_esn (vlib_main_t *vm, ipsec_sa_t *sa, esp_decrypt_packet_data_t *pd,
+               esp_decrypt_packet_data2_t *pd2, u32 *data_len, u8 **digest,
+               u16 *len, vlib_buffer_t *b, u8 *payload)
 {
   if (!ipsec_sa_is_set_USE_ESN (sa))
     return 0;
-
   /* shift ICV by 4 bytes to insert ESN */
-  u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi);
-  u8 tmp[ESP_MAX_ICV_SIZE], sz = sizeof (sa->seq_hi);
+  u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi);
+  u8 tmp[ESP_MAX_ICV_SIZE];
 
   if (pd2->icv_removed)
     {
       u16 space_left = vlib_buffer_space_left_at_end (vm, pd2->lb);
-      if (space_left >= sz)
+      if (space_left >= N_HI_ESN_BYTES)
        {
-         clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi, sz);
-         *data_len += sz;
+         clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi,
+                           N_HI_ESN_BYTES);
+         *data_len += N_HI_ESN_BYTES;
        }
       else
-       return sz;
+       return N_HI_ESN_BYTES;
 
       len[0] = b->current_length;
     }
   else
     {
       clib_memcpy_fast (tmp, payload + len[0], ESP_MAX_ICV_SIZE);
-      clib_memcpy_fast (payload + len[0], &seq_hi, sz);
-      clib_memcpy_fast (payload + len[0] + sz, tmp, ESP_MAX_ICV_SIZE);
-      *data_len += sz;
-      *digest += sz;
+      clib_memcpy_fast (payload + len[0], &seq_hi, N_HI_ESN_BYTES);
+      clib_memcpy_fast (payload + len[0] + N_HI_ESN_BYTES, tmp,
+                       ESP_MAX_ICV_SIZE);
+      *data_len += N_HI_ESN_BYTES;
+      *digest += N_HI_ESN_BYTES;
     }
-  return sz;
+  return N_HI_ESN_BYTES;
 }
 
 static_always_inline u8 *
@@ -284,14 +289,14 @@ esp_move_icv_esn (vlib_main_t * vm, vlib_buffer_t * first,
 
   if (ipsec_sa_is_set_USE_ESN (sa))
     {
-      u8 sz = sizeof (sa->seq_hi);
-      u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi);
+      u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi);
       u16 space_left = vlib_buffer_space_left_at_end (vm, pd2->lb);
 
-      if (space_left >= sz)
+      if (space_left >= N_HI_ESN_BYTES)
        {
-         clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi, sz);
-         *len += sz;
+         clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi,
+                           N_HI_ESN_BYTES);
+         *len += N_HI_ESN_BYTES;
        }
       else
        {
@@ -299,7 +304,8 @@ esp_move_icv_esn (vlib_main_t * vm, vlib_buffer_t * first,
           * (with ICV data) */
          ASSERT (pd2->icv_removed);
          vlib_buffer_t *tmp = vlib_get_buffer (vm, pd2->free_buffer_index);
-         clib_memcpy_fast (vlib_buffer_get_current (tmp) - sz, &seq_hi, sz);
+         clib_memcpy_fast (vlib_buffer_get_current (tmp) - N_HI_ESN_BYTES,
+                           &seq_hi, N_HI_ESN_BYTES);
          extra_esn[0] = 1;
        }
     }
@@ -307,11 +313,12 @@ esp_move_icv_esn (vlib_main_t * vm, vlib_buffer_t * first,
 }
 
 static_always_inline int
-esp_decrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
-                        esp_decrypt_packet_data2_t * pd2,
-                        ipsec_sa_t * sa0, vlib_buffer_t * b, u8 icv_sz,
-                        u8 * start_src, u32 start_len,
-                        u8 ** digest, u16 * n_ch, u32 * integ_total_len)
+esp_decrypt_chain_integ (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
+                        const esp_decrypt_packet_data_t *pd,
+                        esp_decrypt_packet_data2_t *pd2, ipsec_sa_t *sa0,
+                        vlib_buffer_t *b, u8 icv_sz, u8 *start_src,
+                        u32 start_len, u8 **digest, u16 *n_ch,
+                        u32 *integ_total_len)
 {
   vnet_crypto_op_chunk_t *ch;
   vlib_buffer_t *cb = vlib_get_buffer (vm, b->next_buffer);
@@ -334,19 +341,19 @@ esp_decrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
            ch->len = cb->current_length - icv_sz;
          if (ipsec_sa_is_set_USE_ESN (sa0))
            {
-             u32 seq_hi = clib_host_to_net_u32 (sa0->seq_hi);
-             u8 tmp[ESP_MAX_ICV_SIZE], sz = sizeof (sa0->seq_hi);
+             u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi);
+             u8 tmp[ESP_MAX_ICV_SIZE];
              u8 *esn;
              vlib_buffer_t *tmp_b;
              u16 space_left = vlib_buffer_space_left_at_end (vm, pd2->lb);
-             if (space_left < sz)
+             if (space_left < N_HI_ESN_BYTES)
                {
                  if (pd2->icv_removed)
                    {
                      /* use pre-data area from the last bufer
                         that was removed from the chain */
                      tmp_b = vlib_get_buffer (vm, pd2->free_buffer_index);
-                     esn = tmp_b->data - sz;
+                     esn = tmp_b->data - N_HI_ESN_BYTES;
                    }
                  else
                    {
@@ -358,28 +365,29 @@ esp_decrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
                      esn = tmp_b->data;
                      pd2->free_buffer_index = tmp_bi;
                    }
-                 clib_memcpy_fast (esn, &seq_hi, sz);
+                 clib_memcpy_fast (esn, &seq_hi, N_HI_ESN_BYTES);
 
                  vec_add2 (ptd->chunks, ch, 1);
                  n_chunks += 1;
                  ch->src = esn;
-                 ch->len = sz;
+                 ch->len = N_HI_ESN_BYTES;
                }
              else
                {
                  if (pd2->icv_removed)
                    {
-                     clib_memcpy_fast (vlib_buffer_get_tail
-                                       (pd2->lb), &seq_hi, sz);
+                     clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb),
+                                       &seq_hi, N_HI_ESN_BYTES);
                    }
                  else
                    {
                      clib_memcpy_fast (tmp, *digest, ESP_MAX_ICV_SIZE);
-                     clib_memcpy_fast (*digest, &seq_hi, sz);
-                     clib_memcpy_fast (*digest + sz, tmp, ESP_MAX_ICV_SIZE);
-                     *digest += sz;
+                     clib_memcpy_fast (*digest, &seq_hi, N_HI_ESN_BYTES);
+                     clib_memcpy_fast (*digest + N_HI_ESN_BYTES, tmp,
+                                       ESP_MAX_ICV_SIZE);
+                     *digest += N_HI_ESN_BYTES;
                    }
-                 ch->len += sz;
+                 ch->len += N_HI_ESN_BYTES;
                }
            }
          total_len += ch->len;
@@ -540,7 +548,7 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node,
 
          op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
          op->chunk_index = vec_len (ptd->chunks);
-         if (esp_decrypt_chain_integ (vm, ptd, pd2, sa0, b, icv_sz,
+         if (esp_decrypt_chain_integ (vm, ptd, pd, pd2, sa0, b, icv_sz,
                                       payload, pd->current_length,
                                       &op->digest, &op->n_chunks, 0) < 0)
            {
@@ -550,7 +558,7 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node,
            }
        }
       else
-       esp_insert_esn (vm, sa0, pd2, &op->len, &op->digest, &len, b,
+       esp_insert_esn (vm, sa0, pd, pd2, &op->len, &op->digest, &len, b,
                        payload);
     out:
       vec_add_aligned (*(integ_ops[0]), op, 1, CLIB_CACHE_LINE_BYTES);
@@ -576,7 +584,7 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node,
              /* constuct aad in a scratch space in front of the nonce */
              esp_header_t *esp0 = (esp_header_t *) (payload - esp_sz);
              op->aad = (u8 *) nonce - sizeof (esp_aead_t);
-             op->aad_len = esp_aad_fill (op->aad, esp0, sa0);
+             op->aad_len = esp_aad_fill (op->aad, esp0, sa0, pd->seq_hi);
              op->tag = payload + len;
              op->tag_len = 16;
            }
@@ -617,7 +625,6 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node,
                                 vlib_buffer_t *b, u16 *next, u16 async_next)
 {
   const u8 esp_sz = sizeof (esp_header_t);
-  u32 current_protect_index = vnet_buffer (b)->ipsec.protect_index;
   esp_decrypt_packet_data_t *async_pd = &(esp_post_data (b))->decrypt_data;
   esp_decrypt_packet_data2_t *async_pd2 = esp_post_data2 (b);
   u8 *tag = payload + len, *iv = payload + esp_sz, *aad = 0;
@@ -671,16 +678,16 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node,
            tag = vlib_buffer_get_tail (pd2->lb) - icv_sz;
 
          flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
-         if (esp_decrypt_chain_integ (vm, ptd, pd2, sa0, b, icv_sz, payload,
-                                      pd->current_length, &tag,
-                                      0, &integ_len) < 0)
+         if (esp_decrypt_chain_integ (vm, ptd, pd, pd2, sa0, b, icv_sz,
+                                      payload, pd->current_length, &tag, 0,
+                                      &integ_len) < 0)
            {
              /* allocate buffer failed, will not add to frame and drop */
              return (ESP_DECRYPT_ERROR_NO_BUFFERS);
            }
        }
       else
-       esp_insert_esn (vm, sa0, pd2, &integ_len, &tag, &len, b, payload);
+       esp_insert_esn (vm, sa0, pd, pd2, &integ_len, &tag, &len, b, payload);
     }
   else
     key_index = sa0->crypto_key_index;
@@ -701,7 +708,7 @@ out:
          /* constuct aad in a scratch space in front of the nonce */
          esp_header_t *esp0 = (esp_header_t *) (payload - esp_sz);
          aad = (u8 *) nonce - sizeof (esp_aead_t);
-         esp_aad_fill (aad, esp0, sa0);
+         esp_aad_fill (aad, esp0, sa0, pd->seq_hi);
          tag = payload + len;
        }
       else
@@ -730,7 +737,6 @@ out:
 
   *async_pd = *pd;
   *async_pd2 = *pd2;
-  pd->protect_index = current_protect_index;
 
   /* for AEAD integ_len - crypto_len will be negative, it is ok since it
    * is ignored by the engine. */
@@ -776,14 +782,15 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node,
    * a sequence s, s+1, s+2, s+3, ... s+n and nothing will prevent any
    * implementation, sequential or batching, from decrypting these.
    */
-  if (ipsec_sa_anti_replay_check (sa0, pd->seq))
+  if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, true,
+                                          NULL))
     {
       b->error = node->errors[ESP_DECRYPT_ERROR_REPLAY];
       next[0] = ESP_DECRYPT_NEXT_DROP;
       return;
     }
 
-  ipsec_sa_anti_replay_advance (sa0, pd->seq);
+  ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi);
 
   if (pd->is_chain)
     {
@@ -968,12 +975,8 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node,
               */
              const ipsec_tun_protect_t *itp;
 
-             if (is_async)
-               itp = ipsec_tun_protect_get (pd->protect_index);
-             else
-               itp =
-                 ipsec_tun_protect_get (vnet_buffer (b)->
-                                        ipsec.protect_index);
+             itp =
+               ipsec_tun_protect_get (vnet_buffer (b)->ipsec.protect_index);
 
              if (PREDICT_TRUE (next_header == IP_PROTOCOL_IP_IN_IP))
                {
@@ -1148,7 +1151,8 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
       pd->current_length = b[0]->current_length;
 
       /* anti-reply check */
-      if (ipsec_sa_anti_replay_check (sa0, pd->seq))
+      if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false,
+                                              &pd->seq_hi))
        {
          err = ESP_DECRYPT_ERROR_REPLAY;
          esp_set_next_index (b[0], node, err, n_noop, noop_nexts,
@@ -1306,8 +1310,9 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
          tr->crypto_alg = sa0->crypto_alg;
          tr->integ_alg = sa0->integ_alg;
          tr->seq = pd->seq;
-         tr->sa_seq = sa0->last_seq;
+         tr->sa_seq = sa0->seq;
          tr->sa_seq_hi = sa0->seq_hi;
+         tr->pkt_seq_hi = pd->seq_hi;
        }
 
       /* next */
@@ -1374,7 +1379,7 @@ esp_decrypt_post_inline (vlib_main_t * vm,
          tr->crypto_alg = sa0->crypto_alg;
          tr->integ_alg = sa0->integ_alg;
          tr->seq = pd->seq;
-         tr->sa_seq = sa0->last_seq;
+         tr->sa_seq = sa0->seq;
          tr->sa_seq_hi = sa0->seq_hi;
        }
 
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 68aeb60..da9c56a 100644 (file)
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -379,7 +379,7 @@ esp_encrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
 always_inline void
 esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
                     vnet_crypto_op_t **crypto_ops,
-                    vnet_crypto_op_t **integ_ops, ipsec_sa_t *sa0,
+                    vnet_crypto_op_t **integ_ops, ipsec_sa_t *sa0, u32 seq_hi,
                     u8 *payload, u16 payload_len, u8 iv_sz, u8 icv_sz, u32 bi,
                     vlib_buffer_t **b, vlib_buffer_t *lb, u32 hdr_len,
                     esp_header_t *esp)
@@ -408,7 +408,7 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
            {
              /* constuct aad in a scratch space in front of the nonce */
              op->aad = (u8 *) nonce - sizeof (esp_aead_t);
-             op->aad_len = esp_aad_fill (op->aad, esp, sa0);
+             op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi);
              op->tag = payload + op->len;
              op->tag_len = 16;
            }
@@ -465,8 +465,8 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
        }
       else if (ipsec_sa_is_set_USE_ESN (sa0))
        {
-         u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi);
-         clib_memcpy_fast (op->digest, &seq_hi, sizeof (seq_hi));
+         u32 tmp = clib_net_to_host_u32 (seq_hi);
+         clib_memcpy_fast (op->digest, &tmp, sizeof (seq_hi));
          op->len += sizeof (seq_hi);
        }
     }
@@ -508,7 +508,7 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
        {
          /* constuct aad in a scratch space in front of the nonce */
          aad = (u8 *) nonce - sizeof (esp_aead_t);
-         esp_aad_fill (aad, esp, sa);
+         esp_aad_fill (aad, esp, sa, sa->seq_hi);
          key_index = sa->crypto_key_index;
        }
       else
@@ -956,9 +956,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
                                   async_next_node, lb);
        }
       else
-       esp_prepare_sync_op (vm, ptd, crypto_ops, integ_ops, sa0, payload,
-                            payload_len, iv_sz, icv_sz, n_sync, b, lb,
-                            hdr_len, esp);
+       esp_prepare_sync_op (vm, ptd, crypto_ops, integ_ops, sa0, sa0->seq_hi,
+                            payload, payload_len, iv_sz, icv_sz, n_sync, b,
+                            lb, hdr_len, esp);
 
       vlib_buffer_advance (b[0], 0LL - hdr_len);
 
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 73f4474..11bfa41 100644 (file)
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -826,11 +826,11 @@ send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
     }
 
   mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
-  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
+  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
   if (ipsec_sa_is_set_USE_ESN (sa))
     {
       mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
-      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
+      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
     }
   if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
     mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
@@ -913,11 +913,11 @@ send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
   mp->entry.dscp = ip_dscp_encode (sa->tunnel.t_dscp);
 
   mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
-  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
+  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
   if (ipsec_sa_is_set_USE_ESN (sa))
     {
       mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
-      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
+      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
     }
   if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
     mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
@@ -993,11 +993,11 @@ send_ipsec_sa_v3_details (ipsec_sa_t *sa, void *arg)
     }
 
   mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
-  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
+  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
   if (ipsec_sa_is_set_USE_ESN (sa))
     {
       mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
-      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
+      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
     }
   if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
     mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index b67c11d..5f7caab 100644 (file)
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -293,9 +293,8 @@ format_ipsec_sa (u8 * s, va_list * args)
   s = format (s, "\n   salt 0x%x", clib_net_to_host_u32 (sa->salt));
   s = format (s, "\n   thread-index:%d", sa->thread_index);
   s = format (s, "\n   seq %u seq-hi %u", sa->seq, sa->seq_hi);
-  s = format (s, "\n   last-seq %u last-seq-hi %u window %U",
-             sa->last_seq, sa->last_seq_hi,
-             format_ipsec_replay_window, sa->replay_window);
+  s = format (s, "\n   window %U", format_ipsec_replay_window,
+             sa->replay_window);
   s = format (s, "\n   crypto alg %U",
              format_ipsec_crypto_alg, sa->crypto_alg);
   if (sa->crypto_alg && (flags & IPSEC_FORMAT_INSECURE))
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 7827ef1..14461ad 100644 (file)
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -131,9 +131,8 @@ typedef struct
   u32 spi;
   u32 seq;
   u32 seq_hi;
-  u32 last_seq;
-  u32 last_seq_hi;
   u64 replay_window;
+  u64 ctr_iv_counter;
   dpo_id_t dpo;
 
   vnet_crypto_key_index_t crypto_key_index;
@@ -162,7 +161,6 @@ typedef struct
 
   CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
 
-  u64 ctr_iv_counter;
   union
   {
     ip4_header_t ip4_hdr;
@@ -312,45 +310,104 @@ extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
  */
 #define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
 
+always_inline int
+ipsec_sa_anti_replay_check (const ipsec_sa_t *sa, u32 seq)
+{
+  if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa) &&
+      sa->replay_window & (1ULL << (sa->seq - seq)))
+    return 1;
+  else
+    return 0;
+}
+
 /*
  * Anti replay check.
  *  inputs need to be in host byte order.
+ *
+ * The function runs in two contexts. pre and post decrypt.
+ * Pre-decrypt it:
+ *  1 - determines if a packet is a replay - a simple check in the window
+ *  2 - returns the hi-seq number that should be used to decrypt.
+ * post-decrypt:
+ *  Checks whether the packet is a replay or falls out of window
+ *
+ * This funcion should be called even without anti-replay enabled to ensure
+ * the high sequence number is set.
  */
 always_inline int
-ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
+ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq,
+                                    u32 hi_seq_used, bool post_decrypt,
+                                    u32 *hi_seq_req)
 {
-  u32 diff, tl, th;
-
-  if ((sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
-    return 0;
+  ASSERT ((post_decrypt == false) == (hi_seq_req != 0));
 
   if (!ipsec_sa_is_set_USE_ESN (sa))
     {
-      if (PREDICT_TRUE (seq > sa->last_seq))
+      if (hi_seq_req)
+       /* no ESN, therefore the hi-seq is always 0 */
+       *hi_seq_req = 0;
+
+      if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
        return 0;
 
-      diff = sa->last_seq - seq;
+      if (PREDICT_TRUE (seq > sa->seq))
+       return 0;
+
+      u32 diff = sa->seq - seq;
 
       if (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE > diff)
-       return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+       return ((sa->replay_window & (1ULL << diff)) ? 1 : 0);
       else
        return 1;
 
       return 0;
     }
 
-  tl = sa->last_seq;
-  th = sa->last_seq_hi;
-  diff = tl - seq;
-
-  if (PREDICT_TRUE (tl >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX)))
+  if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
+    {
+      /* there's no AR configured for this SA, but in order
+       * to know whether a packet has wrapped the hi ESN we need
+       * to know whether it is out of window. if we use the default
+       * lower bound then we are effectively forcing AR because
+       * out of window packets will get the increased hi seq number
+       * and will thus fail to decrypt. IOW we need a window to know
+       * if the SN has wrapped, but we don't want a window to check for
+       * anti replay. to resolve the contradiction we use a huge window.
+       * if the packet is not within 2^30 of the current SN, we'll consider
+       * it a wrap.
+       */
+      if (hi_seq_req)
+       {
+         if (seq >= sa->seq)
+           /* The packet's sequence number is larger that the SA's.
+            * that can't be a warp - unless we lost more than
+            * 2^32 packets ... how could we know? */
+           *hi_seq_req = sa->seq_hi;
+         else
+           {
+             /* The packet's SN is less than the SAs, so either the SN has
+              * wrapped or the SN is just old. */
+             if (sa->seq - seq > (1 << 30))
+               /* It's really really really old => it wrapped */
+               *hi_seq_req = sa->seq_hi + 1;
+             else
+               *hi_seq_req = sa->seq_hi;
+           }
+       }
+      /*
+       * else
+       *   this is post-decrpyt and since it decrypted we accept it
+       */
+      return 0;
+    }
+  if (PREDICT_TRUE (sa->seq >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX)))
     {
       /*
        * the last sequence number VPP recieved is more than one
        * window size greater than zero.
        * Case A from RFC4303 Appendix A.
        */
-      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
+      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq))
        {
          /*
           * the received sequence number is lower than the lower bound
@@ -358,8 +415,28 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
           * the high sequence number has wrapped. if it decrypts corrently
           * then it's the latter.
           */
-         sa->seq_hi = th + 1;
-         return 0;
+         if (post_decrypt)
+           {
+             if (hi_seq_used == sa->seq_hi)
+               /* the high sequence number used to succesfully decrypt this
+                * packet is the same as the last-sequnence number of the SA.
+                * that means this packet did not cause a wrap.
+                * this packet is thus out of window and should be dropped */
+               return 1;
+             else
+               /* The packet decrypted with a different high sequence number
+                * to the SA, that means it is the wrap packet and should be
+                * accepted */
+               return 0;
+           }
+         else
+           {
+             /* pre-decrypt it might be the might that casues a wrap, we
+              * need to decrpyt to find out */
+             if (hi_seq_req)
+               *hi_seq_req = sa->seq_hi + 1;
+             return 0;
+           }
        }
       else
        {
@@ -367,13 +444,14 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
           * the recieved sequence number greater than the low
           * end of the window.
           */
-         sa->seq_hi = th;
-         if (seq <= tl)
+         if (hi_seq_req)
+           *hi_seq_req = sa->seq_hi;
+         if (seq <= sa->seq)
            /*
             * The recieved seq number is within bounds of the window
             * check if it's a duplicate
             */
-           return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+           return (ipsec_sa_anti_replay_check (sa, seq));
          else
            /*
             * The received sequence number is greater than the window
@@ -393,19 +471,20 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
        * RHS will be a larger number.
        * Case B from RFC4303 Appendix A.
        */
-      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
+      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq))
        {
          /*
           * the sequence number is less than the lower bound.
           */
-         if (seq <= tl)
+         if (seq <= sa->seq)
            {
              /*
               * the packet is within the window upper bound.
               * check for duplicates.
               */
-             sa->seq_hi = th;
-             return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+             if (hi_seq_req)
+               *hi_seq_req = sa->seq_hi;
+             return (ipsec_sa_anti_replay_check (sa, seq));
            }
          else
            {
@@ -418,7 +497,8 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
               * wrapped the high sequence again. If it were the latter then
               * we've lost close to 2^32 packets.
               */
-             sa->seq_hi = th;
+             if (hi_seq_req)
+               *hi_seq_req = sa->seq_hi;
              return 0;
            }
        }
@@ -431,73 +511,79 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
           * However, since TL is the other side of 0 to the received
           * packet, the SA has moved on to a higher sequence number.
           */
-         sa->seq_hi = th - 1;
-         return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+         if (hi_seq_req)
+           *hi_seq_req = sa->seq_hi - 1;
+         return (ipsec_sa_anti_replay_check (sa, seq));
        }
     }
 
+  /* unhandled case */
+  ASSERT (0);
   return 0;
 }
 
 /*
  * Anti replay window advance
  *  inputs need to be in host byte order.
+ * This function both advances the anti-replay window and the sequence number
+ * We always need to move on the SN but the window updates are only needed
+ * if AR is on.
+ * However, updating the window is trivial, so we do it anyway to save
+ * the branch cost.
  */
 always_inline void
-ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 seq)
+ipsec_sa_anti_replay_advance (ipsec_sa_t *sa, u32 seq, u32 hi_seq)
 {
   u32 pos;
-  if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
-    return;
 
-  if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN))
+  if (ipsec_sa_is_set_USE_ESN (sa))
     {
-      int wrap = sa->seq_hi - sa->last_seq_hi;
+      int wrap = hi_seq - sa->seq_hi;
 
-      if (wrap == 0 && seq > sa->last_seq)
+      if (wrap == 0 && seq > sa->seq)
        {
-         pos = seq - sa->last_seq;
+         pos = seq - sa->seq;
          if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
            sa->replay_window = ((sa->replay_window) << pos) | 1;
          else
            sa->replay_window = 1;
-         sa->last_seq = seq;
+         sa->seq = seq;
        }
       else if (wrap > 0)
        {
-         pos = ~seq + sa->last_seq + 1;
+         pos = ~seq + sa->seq + 1;
          if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
            sa->replay_window = ((sa->replay_window) << pos) | 1;
          else
            sa->replay_window = 1;
-         sa->last_seq = seq;
-         sa->last_seq_hi = sa->seq_hi;
+         sa->seq = seq;
+         sa->seq_hi = hi_seq;
        }
       else if (wrap < 0)
        {
-         pos = ~seq + sa->last_seq + 1;
+         pos = ~seq + sa->seq + 1;
          sa->replay_window |= (1ULL << pos);
        }
       else
        {
-         pos = sa->last_seq - seq;
+         pos = sa->seq - seq;
          sa->replay_window |= (1ULL << pos);
        }
     }
   else
     {
-      if (seq > sa->last_seq)
+      if (seq > sa->seq)
        {
-         pos = seq - sa->last_seq;
+         pos = seq - sa->seq;
          if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
            sa->replay_window = ((sa->replay_window) << pos) | 1;
          else
            sa->replay_window = 1;
-         sa->last_seq = seq;
+         sa->seq = seq;
        }
       else
        {
-         pos = sa->last_seq - seq;
+         pos = sa->seq - seq;
          sa->replay_window |= (1ULL << pos);
        }
     }
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index fd9d91f..57c8434 100644 (file)
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -324,6 +324,199 @@ class IpsecTra4(object):
 
         return count
 
+    def verify_hi_seq_num(self):
+        p = self.params[socket.AF_INET]
+        saf = VppEnum.vl_api_ipsec_sad_flags_t
+        esn_on = p.vpp_tra_sa.esn_en
+        ar_on = p.flags & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
+
+        seq_cycle_node_name = \
+            ('/err/%s/sequence number cycled (packet dropped)' %
+             self.tra4_encrypt_node_name)
+        replay_count = self.get_replay_counts(p)
+        hash_failed_count = self.get_hash_failed_counts(p)
+        seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
+
+        # a few packets so we get the rx seq number above the window size and
+        # thus can simulate a wrap with an out of window packet
+        pkts = [(Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=seq))
+                for seq in range(63, 80)]
+        recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+        # these 4 packets will all choose seq-num 0 to decrpyt since none
+        # are out of window when first checked. however, once #200 has
+        # decrypted it will move the window to 200 and has #81 is out of
+        # window. this packet should be dropped.
+        pkts = [(Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=200)),
+                (Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=81)),
+                (Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=201)),
+                (Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=202))]
+
+        # if anti-replay is off then we won't drop #81
+        n_rx = 3 if ar_on else 4
+        self.send_and_expect(self.tra_if, pkts, self.tra_if, n_rx=n_rx)
+        # this packet is one before the wrap
+        pkts = [(Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=203))]
+        recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+        # move the window over half way to a wrap
+        pkts = [(Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=0x80000001))]
+        recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+        # anti-replay will drop old packets, no anti-replay will not
+        pkts = [(Ether(src=self.tra_if.remote_mac,
+                       dst=self.tra_if.local_mac) /
+                 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                           dst=self.tra_if.local_ip4) /
+                                        ICMP(),
+                                        seq_num=0x44000001))]
+
+        if ar_on:
+            self.send_and_assert_no_replies(self.tra_if, pkts)
+        else:
+            recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+        if esn_on:
+            #
+            # validate wrapping the ESN
+            #
+
+            # wrap scapy's TX SA SN
+            p.scapy_tra_sa.seq_num = 0x100000005
+
+            # send a packet that wraps the window for both AR and no AR
+            pkts = [(Ether(src=self.tra_if.remote_mac,
+                           dst=self.tra_if.local_mac) /
+                     p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                               dst=self.tra_if.local_ip4) /
+                                            ICMP(),
+                                            seq_num=0x100000005))]
+
+            rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+            for rx in rxs:
+                decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
+
+            # move the window forward to half way to the next wrap
+            pkts = [(Ether(src=self.tra_if.remote_mac,
+                           dst=self.tra_if.local_mac) /
+                     p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                               dst=self.tra_if.local_ip4) /
+                                            ICMP(),
+                                            seq_num=0x180000005))]
+
+            rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+            # a packet less than 2^30 from the current position is:
+            #  - AR: out of window and dropped
+            #  - non-AR: accepted
+            pkts = [(Ether(src=self.tra_if.remote_mac,
+                           dst=self.tra_if.local_mac) /
+                     p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                               dst=self.tra_if.local_ip4) /
+                                            ICMP(),
+                                            seq_num=0x170000005))]
+
+            if ar_on:
+                self.send_and_assert_no_replies(self.tra_if, pkts)
+            else:
+                self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+            # a packet more than 2^30 from the current position is:
+            #  - AR: out of window and dropped
+            #  - non-AR: considered a wrap, but since it's not a wrap
+            #    it won't decrpyt and so will be dropped
+            pkts = [(Ether(src=self.tra_if.remote_mac,
+                           dst=self.tra_if.local_mac) /
+                     p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                               dst=self.tra_if.local_ip4) /
+                                            ICMP(),
+                                            seq_num=0x130000005))]
+
+            self.send_and_assert_no_replies(self.tra_if, pkts)
+
+            # a packet less than 2^30 from the current position and is a
+            # wrap; (the seq is currently at 0x180000005).
+            #  - AR: out of window so considered a wrap, so accepted
+            #  - non-AR: not considered a wrap, so won't decrypt
+            p.scapy_tra_sa.seq_num = 0x260000005
+            pkts = [(Ether(src=self.tra_if.remote_mac,
+                           dst=self.tra_if.local_mac) /
+                     p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                               dst=self.tra_if.local_ip4) /
+                                            ICMP(),
+                                            seq_num=0x260000005))]
+            if ar_on:
+                self.send_and_expect(self.tra_if, pkts, self.tra_if)
+            else:
+                self.send_and_assert_no_replies(self.tra_if, pkts)
+
+            #
+            # window positions are different now for AR/non-AR
+            #  move non-AR forward
+            #
+            if not ar_on:
+                # a packet more than 2^30 from the current position and is a
+                # wrap; (the seq is currently at 0x180000005).
+                #  - AR: accepted
+                #  - non-AR: not considered a wrap, so won't decrypt
+
+                pkts = [(Ether(src=self.tra_if.remote_mac,
+                               dst=self.tra_if.local_mac) /
+                         p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                                   dst=self.tra_if.local_ip4) /
+                                                ICMP(),
+                                                seq_num=0x200000005)),
+                        (Ether(src=self.tra_if.remote_mac,
+                               dst=self.tra_if.local_mac) /
+                         p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                                   dst=self.tra_if.local_ip4) /
+                                                ICMP(),
+                                                seq_num=0x200000006))]
+                self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+                pkts = [(Ether(src=self.tra_if.remote_mac,
+                               dst=self.tra_if.local_mac) /
+                         p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                                   dst=self.tra_if.local_ip4) /
+                                                ICMP(),
+                                                seq_num=0x260000005))]
+                self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
     def verify_tra_anti_replay(self):
         p = self.params[socket.AF_INET]
         esn_en = p.vpp_tra_sa.esn_en
@@ -359,7 +552,7 @@ class IpsecTra4(object):
         recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
 
         # replayed packets are dropped
-        self.send_and_assert_no_replies(self.tra_if, pkts)
+        self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2)
         replay_count += len(pkts)
         self.assertEqual(self.get_replay_counts(p), replay_count)
 
@@ -393,7 +586,7 @@ class IpsecTra4(object):
         recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
 
         # replayed packets are dropped
-        self.send_and_assert_no_replies(self.tra_if, pkt * 3)
+        self.send_and_assert_no_replies(self.tra_if, pkt * 3, timeout=0.2)
         replay_count += 3
         self.assertEqual(self.get_replay_counts(p), replay_count)
 
@@ -420,7 +613,7 @@ class IpsecTra4(object):
                                    dst=self.tra_if.local_ip4) /
                                 ICMP(),
                                 seq_num=350))
-        self.send_and_assert_no_replies(self.tra_if, pkt * 17)
+        self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2)
 
         hash_failed_count += 17
         self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
@@ -436,7 +629,7 @@ class IpsecTra4(object):
                                        dst=self.tra_if.local_ip4) /
                                     ICMP(),
                                     seq_num=350))
-            self.send_and_assert_no_replies(self.tra_if, pkt * 17)
+            self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2)
 
             undersize_count += 17
             self.assert_error_counter_equal(undersize_node_name,
@@ -462,7 +655,7 @@ class IpsecTra4(object):
                                          dst=self.tra_if.local_ip4) /
                                       ICMP(),
                                       seq_num=17))
-        self.send_and_assert_no_replies(self.tra_if, pkt * 17)
+        self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2)
 
         if esn_en:
             # an out of window error with ESN looks like a high sequence
@@ -526,6 +719,7 @@ class IpsecTra4(object):
                                           ICMP(),
                                           seq_num=0x100000005))
             rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
+
             decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
 
             #
@@ -544,7 +738,7 @@ class IpsecTra4(object):
 
             #
             # While in case A we cannot wrap the high sequence number again
-            # becuase VPP will consider this packet to be one that moves the
+            # because VPP will consider this packet to be one that moves the
             # window forward
             #
             pkt = (Ether(src=self.tra_if.remote_mac,
@@ -553,13 +747,14 @@ class IpsecTra4(object):
                                              dst=self.tra_if.local_ip4) /
                                           ICMP(),
                                           seq_num=0x200000999))
-            self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if)
+            self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if,
+                                            timeout=0.2)
 
             hash_failed_count += 1
             self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
 
             #
-            # but if we move the wondow forward to case B, then we can wrap
+            # but if we move the window forward to case B, then we can wrap
             # again
             #
             p.scapy_tra_sa.seq_num = 0x100000555
@@ -587,7 +782,7 @@ class IpsecTra4(object):
             # without ESN TX sequence numbers can't wrap and packets are
             # dropped from here on out.
             #
-            self.send_and_assert_no_replies(self.tra_if, pkts)
+            self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2)
             seq_cycle_count += len(pkts)
             self.assert_error_counter_equal(seq_cycle_node_name,
                                             seq_cycle_count)
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 41ac56e..6fd4ba1 100644 (file)
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -50,6 +50,11 @@ class ConfigIpsecESP(TemplateIpsec):
     def tearDown(self):
         super(ConfigIpsecESP, self).tearDown()
 
+    def config_anti_replay(self, params):
+        saf = VppEnum.vl_api_ipsec_sad_flags_t
+        for p in params:
+            p.flags |= saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
+
     def config_network(self, params):
         self.net_objs = []
         self.tun_if = self.pg0
@@ -200,10 +205,8 @@ class ConfigIpsecESP(TemplateIpsec):
         crypt_key = params.crypt_key
         addr_any = params.addr_any
         addr_bcast = params.addr_bcast
-        flags = (VppEnum.vl_api_ipsec_sad_flags_t.
-                 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
         e = VppEnum.vl_api_ipsec_spd_action_t
-        flags = params.flags | flags
+        flags = params.flags
         salt = params.salt
         objs = []
 
@@ -292,6 +295,7 @@ class TemplateIpsecEsp(ConfigIpsecESP):
 
     def setUp(self):
         super(TemplateIpsecEsp, self).setUp()
+        self.config_anti_replay(self.params.values())
         self.config_network(self.params.values())
 
     def tearDown(self):
@@ -698,7 +702,9 @@ class TemplateIpsecEspUdp(ConfigIpsecESP):
 
         p = self.ipv4_params
         p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
-                   IPSEC_API_SAD_FLAG_UDP_ENCAP)
+                   IPSEC_API_SAD_FLAG_UDP_ENCAP |
+                   VppEnum.vl_api_ipsec_sad_flags_t.
+                   IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
         p.nat_header = UDP(sport=5454, dport=4500)
 
         self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
@@ -737,8 +743,10 @@ class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests):
 
 class MyParameters():
     def __init__(self):
-        flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
-        self.flags = [0, flag_esn]
+        saf = VppEnum.vl_api_ipsec_sad_flags_t
+        flag_esn = saf.IPSEC_API_SAD_FLAG_USE_ESN
+        flag_ar = saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
+        self.flags = [0, flag_esn, flag_ar]
         # foreach crypto algorithm
         self.algos = {
             'AES-GCM-128/NONE': {
@@ -862,10 +870,12 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
         params = MyParameters()
         self.engine = test_args[0]
         self.flag = params.flags[0]
-        if test_args[1] == 'ESN':
-            self.flag = params.flags[1]
+        if test_args[1] == 'ESNon':
+            self.flag |= params.flags[1]
+        if test_args[2] == 'ARon':
+            self.flag |= params.flags[2]
 
-        self.algo = params.algos[test_args[2]]
+        self.algo = params.algos[test_args[3]]
         self.async_mode = False
         if self.engine == "async":
             self.async_mode = True
@@ -898,7 +908,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
             p.auth_algo = algo['scapy-integ']
             p.crypt_key = algo['key']
             p.salt = algo['salt']
-            p.flags = p.flags | flag
+            p.flags = flag
             p.outer_flow_label = 243224
             p.async_mode = self.async_mode
 
@@ -947,24 +957,29 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
                                    count=NUM_PKTS, payload_size=sz)
 
         #
-        # swap the handlers while SAs are up
+        # reconfigure the network and SA to run the
+        # anti replay tests
         #
-        for e in engines:
-            if e != engine:
-                self.vapi.cli("set crypto handler all %s" % e)
-                self.verify_tra_basic4(count=NUM_PKTS)
+        saf = VppEnum.vl_api_ipsec_sad_flags_t
+        if flag & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY:
+            self.unconfig_network()
+            self.config_network(self.params.values())
+            self.verify_tra_anti_replay()
 
-        #
-        # remove the SPDs, SAs, etc
-        #
         self.unconfig_network()
+        self.config_network(self.params.values())
+        self.verify_hi_seq_num()
 
         #
-        # reconfigure the network and SA to run the
-        # anti replay tests
+        # swap the handlers while SAs are up
         #
+        self.unconfig_network()
         self.config_network(self.params.values())
-        self.verify_tra_anti_replay()
+        for e in engines:
+            if e != engine:
+                self.vapi.cli("set crypto handler all %s" % e)
+                self.verify_tra_basic4(count=NUM_PKTS)
+
         self.unconfig_network()
 
 #
@@ -972,480 +987,1094 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
 #   grep '# GEN' test_ipsec_esp.py | sed -e 's/# GEN //g' | bash
 #
 # GEN for ENG in native ipsecmb openssl; do \
-# GEN   for FLG in noESN ESN; do for ALG in AES-GCM-128/NONE \
+# GEN   for ESN in ESNon ESNoff; do for AR in ARon ARoff; do \
+# GEN   for ALG in AES-GCM-128/NONE \
 # GEN     AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
 # GEN     AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
 # GEN     3DES-CBC/SHA1-96 NONE/SHA1-96 \
 # GEN     AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \
-# GEN      echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" |
-# GEN             sed -e 's/-/_/g' -e 's#/#_#g' ; \
-# GEN      echo '    """'$ENG $FLG $ALG IPSec test'"""' ;
+# GEN      echo -en "\n\nclass "
+# GEN      echo -e "Test_${ENG}_${ESN}_${AR}_${ALG}(RunTestIpsecEspAll):" |
+# GEN             sed -e 's/-/_/g' -e 's#/#_#g' ;
+# GEN      echo '    """'$ENG $ESN $AR $ALG IPSec test'"""' ;
 # GEN      echo "    def test_ipsec(self):";
+# GEN      echo '        """'$ENG $ESN $AR $ALG IPSec test'"""' ;
 # GEN      echo "        self.run_test()";
-# GEN done; done; done
+# GEN done; done; done; done
 #
-# GEN   for FLG in noESN ESN; do for ALG in \
+# GEN   for ESN in ESNon ESNoff; do for AR in ARon ARoff; do \
+# GEN   for ALG in \
 # GEN     AES-GCM-128/NONE AES-GCM-192/NONE AES-GCM-256/NONE \
 # GEN     AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96; do \
-# GEN      echo -e "\n\nclass Test_async_${FLG}_${ALG}(RunTestIpsecEspAll):" |
-# GEN             sed -e 's/-/_/g' -e 's#/#_#g' ; \
-# GEN      echo '    """'async $FLG $ALG IPSec test'"""' ;
+# GEN      echo -en "\n\nclass "
+# GEN      echo -e "Test_async_${ESN}_${AR}_${ALG}(RunTestIpsecEspAll):" |
+# GEN             sed -e 's/-/_/g' -e 's#/#_#g' ;
+# GEN      echo '    """'async $ESN $AR $ALG IPSec test'"""' ;
 # GEN      echo "    def test_ipsec(self):";
+# GEN      echo '        """'async $ESN $AR $ALG IPSec test'"""' ;
 # GEN      echo "        self.run_test()";
-# GEN done; done;
+# GEN done; done; done;
+
+
+class Test_native_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """native ESNon ARon AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """native ESNon ARon AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """native ESNon ARon AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """native ESNon ARon AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_NONE_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARon AES-CTR-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARon AES-CTR-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_NONE_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNon ARoff AES-CTR-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNon ARoff AES-CTR-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_NONE_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARon AES-CTR-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARon AES-CTR-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_NONE_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_native_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """native ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """native ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_NONE_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARon AES-CTR-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARon AES-CTR-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_NONE_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNon ARoff AES-CTR-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNon ARoff AES-CTR-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-GCM-128/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-GCM-128/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-GCM-192/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-GCM-192/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-GCM-256/NONE IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-GCM-256/NONE IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-CBC-128/MD5-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-CBC-128/MD5-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon 3DES-CBC/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon 3DES-CBC/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_NONE_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon NONE/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon NONE/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-CTR-128/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-CTR-128/SHA1-96 IPSec test"""
+        self.run_test()
+
+
+class Test_ipsecmb_ESNoff_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-CTR-192/SHA1-96 IPSec test"""
+    def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-CTR-192/SHA1-96 IPSec test"""
+        self.run_test()
 
 
-class Test_native_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """native noESN AES-GCM-128/NONE IPSec test"""
+class Test_ipsecmb_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARon AES-CTR-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARon AES-CTR-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """native noESN AES-GCM-192/NONE IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """native noESN AES-GCM-256/NONE IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
-    """native noESN AES-CBC-128/MD5-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """native noESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-CBC-128/MD5-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-CBC-128/MD5-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """native noESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
-    """native noESN 3DES-CBC/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
-    """native noESN NONE/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
-    """native noESN AES-CTR-128/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_NONE_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff NONE/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff NONE/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
-    """native noESN AES-CTR-192/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
-    """native noESN AES-CTR-256/SHA1-96 IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """native ESN AES-GCM-128/NONE IPSec test"""
+class Test_ipsecmb_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """ipsecmb ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """ipsecmb ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """native ESN AES-GCM-192/NONE IPSec test"""
+class Test_openssl_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """native ESN AES-GCM-256/NONE IPSec test"""
+class Test_openssl_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
-    """native ESN AES-CBC-128/MD5-96 IPSec test"""
+class Test_openssl_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """native ESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-CBC-128/MD5-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-CBC-128/MD5-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """native ESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
-    """native ESN 3DES-CBC/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
-    """native ESN NONE/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon 3DES-CBC/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon 3DES-CBC/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
-    """native ESN AES-CTR-128/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_NONE_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon NONE/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon NONE/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
-    """native ESN AES-CTR-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-CTR-128/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-CTR-128/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_native_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
-    """native ESN AES-CTR-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-CTR-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-CTR-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-GCM-128/NONE IPSec test"""
+class Test_openssl_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARon AES-CTR-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARon AES-CTR-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-GCM-192/NONE IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-GCM-256/NONE IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-CBC-128/MD5-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-CBC-128/MD5-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-CBC-128/MD5-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN 3DES-CBC/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN NONE/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff 3DES-CBC/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff 3DES-CBC/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-CTR-128/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_NONE_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff NONE/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff NONE/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-CTR-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-CTR-128/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-CTR-128/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb noESN AES-CTR-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-CTR-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-CTR-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-GCM-128/NONE IPSec test"""
+class Test_openssl_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNon ARoff AES-CTR-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNon ARoff AES-CTR-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-GCM-192/NONE IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-GCM-256/NONE IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-CBC-128/MD5-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-CBC-128/MD5-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-CBC-128/MD5-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN 3DES-CBC/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN NONE/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon 3DES-CBC/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon 3DES-CBC/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-CTR-128/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_NONE_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon NONE/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon NONE/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-CTR-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-CTR-128/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-CTR-128/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_ipsecmb_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
-    """ipsecmb ESN AES-CTR-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-CTR-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-CTR-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """openssl noESN AES-GCM-128/NONE IPSec test"""
+class Test_openssl_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARon AES-CTR-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARon AES-CTR-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """openssl noESN AES-GCM-192/NONE IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """openssl noESN AES-GCM-256/NONE IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
-    """openssl noESN AES-CBC-128/MD5-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-CBC-128/MD5-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-CBC-128/MD5-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN 3DES-CBC/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN NONE/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN AES-CTR-128/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_NONE_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff NONE/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff NONE/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN AES-CTR-192/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
-    """openssl noESN AES-CTR-256/SHA1-96 IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """openssl ESN AES-GCM-128/NONE IPSec test"""
+class Test_openssl_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+    """openssl ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """openssl ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """openssl ESN AES-GCM-192/NONE IPSec test"""
+class Test_async_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """async ESNon ARon AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARon AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """openssl ESN AES-GCM-256/NONE IPSec test"""
+class Test_async_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """async ESNon ARon AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARon AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
-    """openssl ESN AES-CBC-128/MD5-96 IPSec test"""
+class Test_async_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """async ESNon ARon AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARon AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """async ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARon AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """async ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARon AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN 3DES-CBC/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """async ESNon ARoff AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARoff AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN NONE/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """async ESNon ARoff AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARoff AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN AES-CTR-128/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """async ESNon ARoff AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARoff AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN AES-CTR-192/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """async ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARoff AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_openssl_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
-    """openssl ESN AES-CTR-256/SHA1-96 IPSec test"""
+class Test_async_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """async ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNon ARoff AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_async_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """async noESN AES-GCM-128/NONE IPSec test"""
+class Test_async_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """async ESNoff ARon AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARon AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_async_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """async noESN AES-GCM-192/NONE IPSec test"""
+class Test_async_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """async ESNoff ARon AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARon AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_async_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """async noESN AES-GCM-256/NONE IPSec test"""
+class Test_async_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """async ESNoff ARon AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARon AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_async_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """async noESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_async_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """async ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARon AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_async_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """async noESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_async_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """async ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARon AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_async_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
-    """async ESN AES-GCM-128/NONE IPSec test"""
+class Test_async_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
+    """async ESNoff ARoff AES-GCM-128/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARoff AES-GCM-128/NONE IPSec test"""
         self.run_test()
 
 
-class Test_async_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
-    """async ESN AES-GCM-192/NONE IPSec test"""
+class Test_async_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll):
+    """async ESNoff ARoff AES-GCM-192/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARoff AES-GCM-192/NONE IPSec test"""
         self.run_test()
 
 
-class Test_async_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
-    """async ESN AES-GCM-256/NONE IPSec test"""
+class Test_async_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll):
+    """async ESNoff ARoff AES-GCM-256/NONE IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARoff AES-GCM-256/NONE IPSec test"""
         self.run_test()
 
 
-class Test_async_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
-    """async ESN AES-CBC-192/SHA1-96 IPSec test"""
+class Test_async_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+    """async ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test"""
         self.run_test()
 
 
-class Test_async_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
-    """async ESN AES-CBC-256/SHA1-96 IPSec test"""
+class Test_async_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+    """async ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
     def test_ipsec(self):
+        """async ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test"""
         self.run_test()
Vector Packet Processing