Basic pluto test (now using XFRM/NETKEY) "westnet-eastnet": 192.0.1.0/24===192.1.2.45[@west]...192.1.2.23[@east]===192.0.2.0/24 1) west 192.1.2.45 pings east-in/east-eth0/east 192.0.2.254 on eastnet 192.0.2.0/24 2) west adds an iptable rule to block plaintext from eastnet 3) west pings 192.0.2.254 again, but pong should be dropped by rule 4) west initiates connection "westnet-eastnet"; east 192.1.2.23 responds 5) confirm with ping It also tests the obsolete PF_KEY API kernel module (af_key.ko) is not loaded, by testing that /proc/net/pfkey does not exist.