The Linux FreeSWAN project (IPsec for Linux) produces rather complicated networking code. The successful application of the protocol results in all network data being encrypted. The use of dynamic keying means that it nearly impossible for an observer (even a trusted one trying to test) to know what is going on. The need for multiple systems (often as many as 6) to be properly configured creates an environment nearly impossible to test regularily.
The emergence of virtual machine technology, particularly, User Mode Linux, has provided a solution to the testing problem: create as many virtual machines as needed and control them using standard testing scaffolding technology: expect(1). This paper describes the scaffolding and the resulting testing regime which is used.
The focus is around a modified network switch emulator, "uml_netjig" which provides the ability to play and capture network packets through a single User-Mode Linux virtual machine.
A second iteration of this tool is also described, combining more complicated expect scripts, and a command mode for uml_netjig, permitting coordination of the multiple virtual machines that are needed when doing fully negotiated IPsec sessions.