Index: etc/mtree/BSD.tests.dist
===================================================================
--- etc/mtree/BSD.tests.dist
+++ etc/mtree/BSD.tests.dist
@@ -476,6 +476,10 @@
         ..
         netinet
         ..
+        netipsec
+            tunnel
+            ..
+        ..
         netpfil
             pf
             ..
Index: tests/sys/Makefile
===================================================================
--- tests/sys/Makefile
+++ tests/sys/Makefile
@@ -13,6 +13,7 @@
 TESTS_SUBDIRS+=		mac
 TESTS_SUBDIRS+=		mqueue
 TESTS_SUBDIRS+=		netinet
+TESTS_SUBDIRS+=		netipsec
 TESTS_SUBDIRS+=		netpfil
 TESTS_SUBDIRS+=		opencrypto
 TESTS_SUBDIRS+=		posixshm
Index: tests/sys/netipsec/Makefile
===================================================================
--- tests/sys/netipsec/Makefile
+++ tests/sys/netipsec/Makefile
@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+TESTSDIR=		${TESTSBASE}/sys/netipsec
+
+TESTS_SUBDIRS+=		tunnel
+
+.include <bsd.test.mk>
Index: tests/sys/netipsec/tunnel/Makefile
===================================================================
--- tests/sys/netipsec/tunnel/Makefile
+++ tests/sys/netipsec/tunnel/Makefile
@@ -0,0 +1,15 @@
+# $FreeBSD$
+
+PACKAGE=	tests
+
+TESTSDIR=       ${TESTSBASE}/sys/netipsec/tunnel
+
+ATF_TESTS_SH+=	empty \
+		aes_cbc_128_hmac_sha1 \
+		aes_cbc_256_hmac_sha2_256 \
+		aes_gcm_128 \
+		aes_gcm_256
+
+${PACKAGE}FILES+=	utils.subr
+
+.include <bsd.test.mk>
Index: tests/sys/netipsec/tunnel/aes_cbc_128_hmac_sha1.sh
===================================================================
--- tests/sys/netipsec/tunnel/aes_cbc_128_hmac_sha1.sh
+++ tests/sys/netipsec/tunnel/aes_cbc_128_hmac_sha1.sh
@@ -0,0 +1,71 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-cbc-128-hmac-sha1'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v4_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping -c 1 198.51.100.7
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 4 out rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 4 in rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1
+}
+
+v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-cbc-128-hmac-sha1'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v6_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping6 -c 1 2001:db8:34::2
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 6 out rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 6 in rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1
+}
+
+v6_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}
Index: tests/sys/netipsec/tunnel/aes_cbc_256_hmac_sha2_256.sh
===================================================================
--- tests/sys/netipsec/tunnel/aes_cbc_256_hmac_sha2_256.sh
+++ tests/sys/netipsec/tunnel/aes_cbc_256_hmac_sha2_256.sh
@@ -0,0 +1,71 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-cbc-256-hmac-sha2-256'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v4_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping -c 1 198.51.100.7
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 4 out rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 4 in rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1
+}
+
+v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-cbc-256-hmac-sha2-256'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v6_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping6 -c 1 2001:db8:34::2
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 6 out rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 6 in rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1
+}
+
+v6_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}
Index: tests/sys/netipsec/tunnel/aes_gcm_128.sh
===================================================================
--- tests/sys/netipsec/tunnel/aes_gcm_128.sh
+++ tests/sys/netipsec/tunnel/aes_gcm_128.sh
@@ -0,0 +1,71 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-gcm-128'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v4_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping -c 1 198.51.100.7
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 4 out aes-gcm-16 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 4 in aes-gcm-16 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1
+}
+
+v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-gcm-128'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v6_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping6 -c 1 2001:db8:34::2
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 6 out aes-gcm-16 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 6 in aes-gcm-16 "12345678901234567890"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1
+}
+
+v6_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}
Index: tests/sys/netipsec/tunnel/aes_gcm_256.sh
===================================================================
--- tests/sys/netipsec/tunnel/aes_gcm_256.sh
+++ tests/sys/netipsec/tunnel/aes_gcm_256.sh
@@ -0,0 +1,71 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-gcm-256'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v4_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping -c 1 198.51.100.7
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 4 out aes-gcm-16 "123456789012345678901234567890123456"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 4 in aes-gcm-16 "123456789012345678901234567890123456"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1
+}
+
+v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-gcm-256'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v6_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping6 -c 1 2001:db8:34::2
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 6 out aes-gcm-16 "123456789012345678901234567890123456"
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 6 in aes-gcm-16 "123456789012345678901234567890123456"
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1
+}
+
+v6_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}
Index: tests/sys/netipsec/tunnel/empty.sh
===================================================================
--- tests/sys/netipsec/tunnel/empty.sh
+++ tests/sys/netipsec/tunnel/empty.sh
@@ -0,0 +1,72 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using NULL encryption'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v4_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping -c 1 198.51.100.7
+
+	# Check correct loading of ipsec configuration file
+	# Can't use the name "null" for this script: It creates problem with makefile
+	pft_setkey ipsecA 4 out null ""
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 4 in null ""
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1
+}
+
+v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using NULL encryption'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	pft_init
+	pft_labsetup
+	pft_v6_setup
+
+	# Sanity check, can IPSec gateway A reach IPSec gateway B?
+	atf_check -s exit:0 -o ignore jexec ipsecA ping6 -c 1 2001:db8:34::2
+
+	# Check correct loading of ipsec configuration file
+	pft_setkey ipsecA 6 out null ""
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f /tmp/ipsec.ipsecA.conf
+	pft_setkey ipsecB 6 in null ""
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f /tmp/ipsec.ipsecB.conf
+
+	# Check ipsec tunnel
+	atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1
+}
+
+v6_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}
Index: tests/sys/netipsec/tunnel/utils.subr
===================================================================
--- tests/sys/netipsec/tunnel/utils.subr
+++ tests/sys/netipsec/tunnel/utils.subr
@@ -0,0 +1,152 @@
+# $FreeBSD$
+# Utility functions (mainly from pf tests, should be merged one day)
+##
+
+pft_init()
+{
+	if [ "$(sysctl -i -n kern.features.vimage)" != 1 ]; then
+		atf_skip "This test requires VIMAGE"
+	fi
+}
+
+pft_mkepair()
+{
+	ifname=$(ifconfig epair create)
+	echo $ifname >> created_interfaces.lst
+	echo ${ifname%a}
+}
+
+pft_mkjail()
+{
+	jailname=$1
+	shift
+
+	vnet_interfaces=
+	for ifname in $@
+	do
+		vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}"
+	done
+	jail -c name=${jailname} persist vnet ${vnet_interfaces}
+
+	echo $jailname >> created_jails.lst
+}
+
+pft_setkey()
+{
+	# $1: jail name
+	# $2: afnet (4 or 6)
+	# $3: in/out (direction)
+	# $4: encryption algo
+	# $5: encryption key
+	# $6: authentication algo
+	# $7: authentication key
+	jname=$1
+
+	# Load
+	(
+		printf "#arguments debug: $1 $2 $3 $4 $5 $6 $7\n"
+		printf "flush;\n"
+		printf "spdflush;\n"
+		if [ $2 -eq 4 ]; then
+			SRC_LAN="192.0.2.0/24"
+			DST_LAN="203.0.113.0/24"
+			SRC_GW="198.51.100.2"
+			DST_GW="198.51.100.7"
+		else
+			SRC_LAN="2001:db8:1::/64"
+			DST_LAN="2001:db8:45::/64"
+			SRC_GW="2001:db8:23::2"
+			DST_GW="2001:db8:34::2"
+		fi
+		printf "spdadd ${SRC_LAN} ${DST_LAN} any -P "
+		[ $3 = "out" ] && printf "out" || printf "in"
+		printf " ipsec esp/tunnel/${SRC_GW}-${DST_GW}/require;\n"
+		printf "spdadd ${DST_LAN} ${SRC_LAN} any -P "
+		[ $3 = "out" ] && printf "in" || printf "out"
+		printf " ipsec esp/tunnel/${DST_GW}-${SRC_GW}/require;\n"
+		printf "add ${SRC_GW} ${DST_GW} esp 0x1000 -E $4 \"$5\""
+		[ -n "$6" ] && printf " -A $6 \"$7\";\n" || printf ";\n"
+		printf "add ${DST_GW} ${SRC_GW} esp 0x1001 -E $4 \"$5\""
+		[ -n "$6" ] && printf " -A $6 \"$7\";\n" || printf ";\n"
+	) > /tmp/ipsec.${jname}.conf
+}
+
+pft_labsetup ()
+{
+	epair_LAN_A=$(pft_mkepair)
+	ifconfig ${epair_LAN_A}a up
+	epair_PUB_A=$(pft_mkepair)
+	ifconfig ${epair_PUB_A}a up
+	epair_LAN_B=$(pft_mkepair)
+	ifconfig ${epair_LAN_B}a up
+	epair_PUB_B=$(pft_mkepair)
+	ifconfig ${epair_PUB_B}a up
+
+	pft_mkjail hostA ${epair_LAN_A}a
+	pft_mkjail ipsecA ${epair_LAN_A}b ${epair_PUB_A}a
+	pft_mkjail router ${epair_PUB_A}b ${epair_PUB_B}b
+	pft_mkjail ipsecB ${epair_LAN_B}b ${epair_PUB_B}a
+	pft_mkjail hostB ${epair_LAN_B}a
+}
+
+pft_v4_setup ()
+{
+	jexec hostA ifconfig ${epair_LAN_A}a 192.0.2.1/30 up
+	jexec ipsecA ifconfig ${epair_LAN_A}b 192.0.2.2/30 up
+	jexec ipsecA ifconfig ${epair_PUB_A}a 198.51.100.2/30 up
+	jexec router ifconfig ${epair_PUB_A}b 198.51.100.1/30 up
+	jexec router ifconfig ${epair_PUB_B}b 198.51.100.6/30 up
+	jexec ipsecB ifconfig ${epair_PUB_B}a 198.51.100.7/30 up
+	jexec ipsecB ifconfig ${epair_LAN_B}b 203.0.113.2/30 up
+	jexec hostB ifconfig ${epair_LAN_B}a 203.0.113.1/30 up
+	jexec ipsecA sysctl net.inet.ip.forwarding=1
+	jexec router sysctl net.inet.ip.forwarding=1
+	jexec ipsecB sysctl net.inet.ip.forwarding=1
+	jexec hostA route add default 192.0.2.2
+	jexec ipsecA route add default 198.51.100.1
+	jexec ipsecB route add default 198.51.100.6
+	jexec hostB route add default 203.0.113.2
+}
+
+pft_v6_setup ()
+{
+	jexec hostA ifconfig ${epair_LAN_A}a inet6 2001:db8:1::1/64 up
+	jexec ipsecA ifconfig ${epair_LAN_A}b inet6 2001:db8:1::2/64 up
+	jexec ipsecA ifconfig ${epair_PUB_A}a inet6 2001:db8:23::2/64 up
+	jexec router ifconfig ${epair_PUB_A}b inet6 2001:db8:23::3/64 up
+	jexec router ifconfig ${epair_PUB_B}b inet6 2001:db8:34::3/64 up
+	jexec ipsecB ifconfig ${epair_PUB_B}a inet6 2001:db8:34::2/64 up
+	jexec ipsecB ifconfig ${epair_LAN_B}b inet6 2001:db8:45::2/64 up
+	jexec hostB ifconfig ${epair_LAN_B}a inet6 2001:db8:45::1/64 up
+	jexec ipsecA sysctl net.inet6.ip6.forwarding=1
+	jexec router sysctl net.inet6.ip6.forwarding=1
+	jexec ipsecB sysctl net.inet6.ip6.forwarding=1
+	jexec hostA route -6 add default 2001:db8:1::2
+	jexec ipsecA route -6 add default 2001:db8:23::3
+	jexec ipsecB route -6 add default 2001:db8:34::3
+	jexec hostB route -6 add default 2001:db8:45::2
+	# Why do we need to wait before having a working inet6 forwarding?
+	# without this timer, first ping failed with this error:
+	# ping6: UDP connect: Can't assign requested address
+	sleep 2
+}
+
+pft_cleanup()
+{
+	if [ -f created_jails.lst ]; then
+		for jailname in $(cat created_jails.lst)
+		do
+			jail -r ${jailname}
+			[ -f /tmp/ipsec.${jailname}.conf ] && rm /tmp/ipsec.${jailname}.conf
+		done
+		rm created_jails.lst
+	fi
+
+	if [ -f created_interfaces.lst ]; then
+		for ifname in $(cat created_interfaces.lst)
+		do
+			ifconfig ${ifname} destroy
+		done
+		rm created_interfaces.lst
+	fi
+}