diff --git a/tests/common/config.py b/tests/common/config.py
index 32b56f0..45cdfc7 100644
--- a/tests/common/config.py
+++ b/tests/common/config.py
@@ -490,18 +490,18 @@ def setup_tunnel_routes(r1con, r2con, tun_ipv6, network3):
     return r1ipnh, r1ip6nh, r2ipnh, r2ip6nh
 
 
-def esp_flags_filter_dir(dir, esp_flags):
+def esp_flags_filter_dir(direction, esp_flags):
     """Filter out esp flags inappropriate for the direction."""
-    if dir == "in":
+    if direction == "in":
         esp_flags = esp_flags.replace("dont-encap-dscp", "")
     else:
         esp_flags = esp_flags.replace("decap-dscp", "")
     return esp_flags
 
 
-def iptfs_opts_filter_dir(dir, iptfs_opts):
+def iptfs_opts_filter_dir(direction, iptfs_opts):
     """Filter out iptfs options inappropriate for the direction."""
-    if dir == "in":
+    if direction == "in":
         iptfs_opts = iptfs_opts.replace("dont-frag", "")
         iptfs_opts = re.sub(r"init-delay \d+", "", iptfs_opts)
         iptfs_opts = re.sub(r"max-queue-size \d+", "", iptfs_opts)
@@ -592,28 +592,30 @@ async def setup_policy_tun(
         #
         # SAs
         #
-        dir = "out" if r == r1 else "in"
-        eflags = esp_flags_filter_dir(dir, esp_flags)
+        direction = "out" if r == r1 else "in"
+        eflags = esp_flags_filter_dir(direction, esp_flags)
+        esp_args = "replay-window 128" if direction == "in" else ""
         repl.cmd_raises(
             (
                 f"ip xfrm state add src {r1ip} dst {r2ip} proto esp "
                 f"spi {spi_1to2} mode {mode} {sa_auth} {sa_enc} "
-                f"{eflags} reqid {reqid_1to2} dir {dir} "
+                f"{esp_args} {eflags} reqid {reqid_1to2} dir {direction} "
                 # f"reqid {reqid_1to2} "
             )
-            + iptfs_opts_filter_dir(dir, iptfs_opts)
+            + iptfs_opts_filter_dir(direction, iptfs_opts)
         )
 
-        dir = "in" if r == r1 else "out"
-        eflags = esp_flags_filter_dir(dir, esp_flags)
+        direction = "in" if r == r1 else "out"
+        eflags = esp_flags_filter_dir(direction, esp_flags)
+        esp_args = "replay-window 128" if direction == "in" else ""
         repl.cmd_raises(
             (
                 f"ip xfrm state add src {r2ip} dst {r1ip} proto esp "
                 f"spi {spi_2to1} mode {mode} {sa_auth} {sa_enc} "
-                f"{eflags} reqid {reqid_2to1} dir {dir} "
+                f"{esp_args} {eflags} reqid {reqid_2to1} dir {direction} "
                 # f"reqid {reqid_2to1} "
             )
-            + iptfs_opts_filter_dir(dir, iptfs_opts)
+            + iptfs_opts_filter_dir(direction, iptfs_opts)
         )
 
         #
@@ -831,23 +833,27 @@ async def setup_routed_tun(
             lip = r2ip
             rip = r1ip
 
-        dir = "out" if r == r1 else "in"
+        direction = "out" if r == r1 else "in"
+        eflags = esp_flags_filter_dir(direction, esp_flags)
+        esp_args = "replay-window 128" if direction == "in" else ""
         repl.cmd_raises(
             (
                 f"ip xfrm state add src {r1ip} dst {r2ip} proto esp "
                 f"spi {spi_1to2} mode {mode} {sa_auth} {sa_enc} "
-                f"{esp_flags} if_id 55 reqid {reqid_1to2} dir {dir} "
+                f"{esp_args} {eflags} if_id 55 reqid {reqid_1to2} dir {direction} "
             )
-            + iptfs_opts_filter_dir(dir, iptfs_opts)
+            + iptfs_opts_filter_dir(direction, iptfs_opts)
         )
-        dir = "in" if r == r1 else "out"
+        direction = "in" if r == r1 else "out"
+        eflags = esp_flags_filter_dir(direction, esp_flags)
+        esp_args = "replay-window 128" if direction == "in" else ""
         repl.cmd_raises(
             (
                 f"ip xfrm state add src {r2ip} dst {r1ip} proto esp "
                 f"spi {spi_2to1} mode {mode} {sa_auth} {sa_enc} "
-                f"{esp_flags} if_id 55 reqid {reqid_2to1} dir {dir} "
+                f"{esp_args} {eflags} if_id 55 reqid {reqid_2to1} dir {direction} "
             )
-            + iptfs_opts_filter_dir(dir, iptfs_opts)
+            + iptfs_opts_filter_dir(direction, iptfs_opts)
         )
 
         # repl.cmd_raises(f"ip add vti0 local {lip} remote {rip} mode vti key 55")
diff --git a/tests/flood/test_flood.py b/tests/flood/test_flood.py
index 87d7e27..56608f9 100644
--- a/tests/flood/test_flood.py
+++ b/tests/flood/test_flood.py
@@ -45,65 +45,63 @@ async def network_up(unet):
 #   +----+ .1        .2 +----+ .2        .3 +----+ .3        .4 +----+
 #          10.0.0.0/24         10.0.1.0/24         10.0.2.0/24
 
+PING_COUNT = 5
+INIT_DELAY = 100000
+
 
 async def test_net_up(unet, astepf):
     await astepf("Before test network up")
     await _test_net_up(unet, ipv6=True)
 
 
-async def do_ping(h1, astepf):
-    count = 3000
-
-    await astepf("first IPv6 ping")
-    logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4"))
-    await astepf(f"flood {count} IPv6 ping")
-    logging.debug(h1.cmd_raises(f"ping -f -c{count} fc00:0:0:2::4"))
+async def do_ping(host, dest4, dest6, astepf):
+    count = PING_COUNT
 
-    await astepf("first IPv4 ping")
-    logging.debug(h1.cmd_raises("ping -c1 10.0.2.4"))
     await astepf(f"flood {count} IPv4 ping")
-    logging.debug(h1.cmd_raises(f"ping -f -c{count} 10.0.2.4"))
+    logging.debug(host.cmd_raises(f"ping -q -n -s 8 -f  -c{count} {dest4}"))
 
+    await astepf(f"flood {count} IPv6 ping")
+    logging.debug(host.cmd_raises(f"ping -q -n -s 8 -f  -c{count} {dest6}"))
 
-async def test_policy_tun4_up(unet, astepf, pytestconfig):
-    h1 = unet.hosts["h1"]
 
-    opts = pytestconfig.getoption("--iptfs-opts", "dont-frag")
+@pytest.mark.parametrize("tun_ipv6", [False, True])
+async def test_policy_tun_agg(unet, astepf, tun_ipv6):
     await setup_policy_tun(
-        unet, mode="iptfs", iptfs_opts=opts, ipv6=True, tun_ipv6=False
+        unet,
+        mode="iptfs",
+        iptfs_opts=f"init-delay {INIT_DELAY}",
+        ipv6=True,
+        tun_ipv6=tun_ipv6,
     )
 
-    await do_ping(h1, astepf)
+    await do_ping(unet.hosts["r1"], "10.0.1.3", "fc00:0:0:1::3", astepf)
+    await do_ping(unet.hosts["h1"], "10.0.2.4", "fc00:0:0:2::4", astepf)
 
+    # Now validate that we have sent and received exactly 8 ESP packets
+    base = "fc00:0:0:1::" if tun_ipv6 else "10.0.1."
+    o = unet.hosts["r1"].cmd_raises(f"ip x s l src {base}2")
+    assert " oseq 0x4" in o
+    o = unet.hosts["r1"].cmd_raises(f"ip x s l src {base}3")
+    assert " seq 0x4" in o
 
-async def test_routed_tun4_up(unet, astepf, pytestconfig):
-    h1 = unet.hosts["h1"]
 
-    opts = pytestconfig.getoption("--iptfs-opts", "")
+@pytest.mark.parametrize("tun_ipv6", [False, True])
+async def test_routed_tun_agg(unet, astepf, tun_ipv6):
     await setup_routed_tun(
-        unet, mode="iptfs", iptfs_opts=opts, ipv6=True, tun_ipv6=False
+        unet,
+        mode="iptfs",
+        esp_flags="esn",
+        iptfs_opts=f"init-delay {INIT_DELAY}",
+        ipv6=True,
+        tun_ipv6=tun_ipv6,
     )
 
-    await do_ping(h1, astepf)
-
-
-async def test_policy_tun6_up(unet, astepf, pytestconfig):
-    h1 = unet.hosts["h1"]
-
-    opts = pytestconfig.getoption("--iptfs-opts", "dont-frag")
-    await setup_policy_tun(
-        unet, mode="iptfs", iptfs_opts=opts, ipv6=True, tun_ipv6=True
-    )
-
-    await do_ping(h1, astepf)
-
-
-async def test_routed_tun6_up(unet, astepf, pytestconfig):
-    h1 = unet.hosts["h1"]
-
-    opts = pytestconfig.getoption("--iptfs-opts", "")
-    await setup_routed_tun(
-        unet, mode="iptfs", iptfs_opts=opts, ipv6=True, tun_ipv6=True
-    )
+    # We don't have routes setup for local originated pings
+    await do_ping(unet.hosts["h1"], "10.0.2.4", "fc00:0:0:2::4", astepf)
 
-    await do_ping(h1, astepf)
+    # Now validate that we have sent and received exactly 8 ESP packets
+    base = "fc00:0:0:1::" if tun_ipv6 else "10.0.1."
+    o = unet.hosts["r1"].cmd_raises(f"ip x s l src {base}2")
+    assert " oseq 0x2" in o
+    o = unet.hosts["r1"].cmd_raises(f"ip x s l src {base}3")
+    assert " seq 0x2" in o